CVE-2021-21418: 
PHP vulnerability analysis and mitigation

CVE-2021-21418 is a vulnerability in the psemailsubscription module, a newsletter subscription module for the PrestaShop platform. The vulnerability was discovered and disclosed in March 2021, affecting versions prior to 2.6.1. The issue allows an employee to inject JavaScript code in the newsletter condition field that would then be executed on the front office ([GitHub Advisory](https://github.com/PrestaShop/psemailsubscription/security/advisories/GHSA-vwfx-hh3w-fj99)).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) with a moderate severity rating. The issue stems from improper sanitization of user input in the newsletter condition field, which allows for JavaScript injection that gets stored and later executed when viewed on the front office (GitHub Advisory).

When successfully exploited, this vulnerability allows malicious JavaScript code injected by an employee to be executed in the context of users visiting the front office of the PrestaShop installation. This could potentially lead to theft of user data, session hijacking, or other client-side attacks (GitHub Advisory).

The vulnerability was patched in version 2.6.1 of the psemailsubscription module. The fix involves properly escaping the newsletter condition field content using Tools::htmlentitiesUTF8() before displaying it on the front office. Users are advised to upgrade to version 2.6.1 or later to address this security issue (GitHub Release, [GitHub Commit](https://github.com/PrestaShop/psemailsubscription/commit/664ffb225e2afb4a32640bbedad667dc6e660b70)).