CVE-2013-4791: 
PHP vulnerability analysis and mitigation

PrestaShop before version 1.4.11 contained a persistent Cross-Site Scripting (XSS) vulnerability that allowed users with low-level privileges such as Logisticians and translators to inject malicious code through the TinyMCE editor. The vulnerability was discovered in July 2013 and assigned identifier CVE-2013-4791 (PrestaShop Blog).

The vulnerability existed due to insufficient filtering of HTML events in the TinyMCE editor. Low-privileged users could inject malicious HTML code in CMS pages through TinyMCE's HTML mode, which would then execute when viewed by other users including administrators (PrestaShop Blog).

The vulnerability could be exploited to automatically log out administrators when hovering over injected content, spread malware, or steal user credentials through fake login prompts affecting visitors, authenticated users and administrators (PrestaShop Blog).

The vulnerability was fixed in PrestaShop version 1.4.11 and later versions of the 1.5.x branch. Users were advised to upgrade to these patched versions. The fix involved updating to a newer version of TinyMCE that properly filtered HTML events (PrestaShop Blog).

The PrestaShop development team acknowledged and addressed the vulnerability promptly after it was reported. They released a fix in version 1.4.11 and committed to backporting the patch to the 1.5.x branch (PrestaShop Blog).