CVE-2025-24027

ps_contactinfo has potential XSS due to usage of the nofilter tag in template

Description

ps_contactinfo, a PrestaShop module for displaying store contact information, has a cross-site scripting (XSS) vulnerability in versions up to and including 3.3.2. This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned. For example, if the shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored cross-site scripting in formatting objects. Commit d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39 keeps formatted addresses from displaying a XSS stored in the database, and the fix is expected to be available in version 3.3.3. No workarounds are available aside from applying the fix and keeping all modules maintained and update.

Category

6.2
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Affected: PrestaShop ps_contactinfo
Published at:
Updated at:

References

Link Tags
https://github.com/PrestaShop/ps_contactinfo/security/advisories/GHSA-35pq-7pv2-2rfw
https://github.com/PrestaShop/ps_contactinfo/commit/d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39

Frequently Asked Questions

What is the severity of CVE-2025-24027?
CVE-2025-24027 has been scored as a medium severity vulnerability.
How to fix CVE-2025-24027?
To fix CVE-2025-24027, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-24027 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-24027 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-24027?
CVE-2025-24027 affects PrestaShop ps_contactinfo.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.