Logistician, translators and other low level profiles/accounts could inject a persistent XSS vector on TinyMCE to affect users and even admins.
This is possible due to a flaw on TinyMCE which doesn't filter some events (blocks only a couple of them) on HTML.
Proof-of-concept on a combined CSRF attack (logged in as logistician):
On a CMS page, enter the following HTML in TinyMCE (on HTML mode) <img onmouseover="window.location.href = 'http://www.website-example.pt/loja/admin9050/index.php?logout'" src="x" alt="" />When the admin hover the image, he will automatically logout from the admin panel.
With a little imagination this issue can be used to spread malware or grab users credentials (popping up a screen to login) to visitors, authenticated users or even admins. (CVE-2013-4791)
Also logout GET request should also have a token protection. Just to prevent CSRF attacks. (CVE-2013-4792)
Keep in mind that the latest version of TinyMCE it's patched against this issue.
By the way I tested under PrestaShop 18.104.22.168.
Prestashop developing team replied:
We have fixed this problem in our 1.4.11 release, and we will also put this patch in our next 1.5 release before the end of July.Timeline:
05 Jun 2013: Reported to Prestashop
11 Jun 2013: Replied that their team were working on it
02 Jul 2013: Prestashop released a fix to this issue
08 Jul 2013: Full disclosure