prestashop/productcomments is vulnerable to cross-site scripting (XSS). A remote attacker is able to inject and execute arbitrary Javascript in a user’s browser via various parameters within the application. The vulnerability exists as the content-type of the server response is not set to application/json
, causing the browser to interpret the JSON response as HTML and render any unescaped HTML.