PrestaShop before 1.5.2 allows XSS via the «<object data=’data:text/html» substring in the message field.
