{"id":"GHSA-vwfx-hh3w-fj99","summary":"Potential XSS injection in the newsletter conditions field","details":"### Impact\nAn employee can inject javascript in the newsletter condition field that will then be executed on the front office\n\n### Patches\nThe issue has been fixed in 2.6.1","aliases":["CVE-2021-21418"],"modified":"2026-03-10T23:30:11.684007154Z","published":"2021-04-06T17:24:14Z","database_specific":{"nvd_published_at":"2021-03-31T18:15:00Z","github_reviewed":true,"cwe_ids":["CWE-79"],"severity":"MODERATE","github_reviewed_at":"2021-03-31T17:35:42Z"},"references":[{"type":"WEB","url":"https://github.com/PrestaShop/ps_emailsubscription/security/advisories/GHSA-vwfx-hh3w-fj99"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21418"},{"type":"WEB","url":"https://github.com/PrestaShop/ps_emailsubscription/commit/664ffb225e2afb4a32640bbedad667dc6e660b70"},{"type":"WEB","url":"https://github.com/PrestaShop/ps_emailsubscription/releases/tag/v2.6.1"},{"type":"WEB","url":"https://packagist.org/packages/prestashop/ps_emailsubscription"}],"affected":[{"package":{"name":"prestashop/ps_emailsubscription","ecosystem":"Packagist","purl":"pkg:composer/prestashop/ps_emailsubscription"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.6.1"}]}],"versions":["v1.0.1","v1.1.0","v1.1.1","v1.1.2","v1.1.6","v2.1.0","v2.2.0","v2.3.0","v2.5.0","v2.6.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-vwfx-hh3w-fj99/GHSA-vwfx-hh3w-fj99.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}]}