CVE-2024-21628 : Security Advisory and Response
XSS vulnerability allows malicious scripts via 'add a message form' on PrestaShop. Update to version 8.1.3 to mitigate risks.
This CVE involves an XSS vulnerability that allows malicious scripts to be stored in the database through an "add a message form" on the order detail page of PrestaShop.
Understanding CVE-2024-21628
This vulnerability, tracked as CVE-2024-21628, is related to improper neutralization of input during web page generation, specifically Cross-Site Scripting (XSS) in PrestaShop prior to version 8.1.3.
What is CVE-2024-21628?
PrestaShop, an open-source e-commerce platform, is affected by this vulnerability due to the absence of the isCleanHtml method in the form, enabling the storage of XSS payloads in the database. Although the impact is low in the back office (BO) as HTML is not interpreted, the XSS attack in the front office (FO) can affect the customer initiating it or the customer session from which it originated.
The Impact of CVE-2024-21628
The impact of this vulnerability is considered medium, with a base score of 5.4 (MEDIUM) according to the CVSS V3.1 metrics. The attack complexity is low, requiring network access and user interaction. It has a low availability impact, no integrity impact, and low confidentiality impact. Privileges required are low, and the scope is changed.
Technical Details of CVE-2024-21628
This section delves into the specifics of the vulnerability, including its description, affected systems and versions, and exploitation mechanism.
Vulnerability Description
The issue arises from the lack of proper input sanitization in the "add a message form" on the order detail page, allowing attackers to store malicious scripts in the database.
Affected Systems and Versions
PrestaShop versions prior to 8.1.3 are impacted by this CVE, with versions below this threshold being susceptible to the XSS vulnerability.
Exploitation Mechanism
The vulnerability can be exploited by submitting a crafted payload via the message form, resulting in the execution of malicious scripts when the stored data is retrieved and displayed without adequate HTML escaping.
Mitigation and Prevention
To address CVE-2024-21628, immediate action is necessary to mitigate the risk and prevent potential exploits.
Immediate Steps to Take
- Update PrestaShop to version 8.1.3 or newer, which contains a patch for this vulnerability.
- Review and sanitize input fields to prevent the storage of malicious scripts in the database.
- Implement Content Security Policy (CSP) headers to mitigate XSS risks.
Long-Term Security Practices
- Regularly monitor and audit the application for security vulnerabilities.
- Educate developers on secure coding practices, including input validation and output encoding.
- Stay informed about security advisories and apply patches promptly.
Patching and Updates
Ensure that all software components, including PrestaShop and its dependencies, are kept up to date to mitigate known vulnerabilities and enhance overall security posture. Regularly check for security updates and apply patches promptly to protect against emerging threats.