In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8
https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392
Source: Mitre, NVD
Published: 2020-09-24
Updated: 2026-06-17
Base Score: 3.5
Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N
Severity: Low
Base Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: Medium
EPSS: 0.00249