Some attribute not escaped in Validate::isCleanHTML method
CVE-2024-21627

8.1HIGH

Key Information:

Vendor

PrestaShop

Status
PrestaShop
Vendor
CVE Published:
2 January 2024

What is CVE-2024-21627?

PrestaShop, an open-source e-commerce platform, has identified a vulnerability in its code that allows certain event attributes to be processed without proper detection by the isCleanHTML method. As a result, some modules relying on this method may be susceptible to cross-site scripting attacks. Users of PrestaShop prior to version 8.1.3 and 1.7.8.11 are advised to upgrade to these versions, where a patch has been implemented to resolve this issue. For a more robust defense, it is recommended to utilize the HTMLPurifier library, which is integrated as a dependency within the PrestaShop project, to ensure that any HTML input from users is adequately sanitized. However, caution is advised as legacy object models featuring HTML type fields will still invoke the isCleanHTML method.

Affected Version(s)

PrestaShop >= 8.0.0, < 8.1.3 < 8.0.0, 8.1.3

PrestaShop < 1.7.8.11 < 1.7.8.11

References

https://github.com/PrestaShop/PrestaShop/security/advisor...
x_refsource_CONFIRM
https://github.com/PrestaShop/PrestaShop/commit/73cfb4466...
x_refsource_MISC
https://github.com/PrestaShop/PrestaShop/commit/ba06d1846...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.