|preg_match() in latest PrestaShop|
See the screen below to understand where and how we can input HTML tags:
|How to exploit PrestaShop via BurpSuite|
... and yes, this vulnerability exists in admin's part of application. ;)
* UPDATE *
After a few minutes I've got the idea how to extend this html injection attack to XSS, and...
there is a XSS vulnerability :)
Screen from attack is below but payload-string will not be published until vendor response.
|PrestaShop - Admin XSSed|
* UPDATE - 17.05.2013 *
Ok, still no response from vendor... :)
Proof of concept code to inject XSS in PrestaShop should be payload encoded by base64:
Here we have a little example: