CVE-2024-34716

Name of the Vulnerable Software and Affected Versions PrestaShop versions 8.1.0 through 8.1.5

Description A cross-site scripting (XSS) vulnerability is present in PrestaShop when the customer-thread feature flag is enabled. This allows a hacker to upload a malicious file containing an XSS that will be executed when an admin opens the attached file in the back office. The injected script can access the session and the security token, enabling it to perform any authenticated action within the administrator's rights. Over 300,000 results have been found to be potentially affected.

Recommendations For PrestaShop versions 8.1.0 through 8.1.5, update to version 8.1.6 to resolve the issue. As a temporary workaround, consider disabling the customer-thread feature-flag until a patch is applied.