PrestaShop Cross-Site Scripting Vulnerability Affects Customer Thread Feature
CVE-2024-34716

6.1MEDIUM

Key Information:

Vendor: Prestashop
Status: Prestashop
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-34716?

A cross-site scripting (XSS) vulnerability exists in PrestaShop, an open-source e-commerce web application, specifically affecting installations with the customer-thread feature enabled. This issue arises in versions from 8.1.0 to 8.1.5. Under certain conditions, a malicious actor can leverage the front-office contact form to upload a file that contains a harmful script. When an administrator accesses this file within the back office, the script executes, potentially granting the attacker access to sensitive session information and security tokens. This exploitation enables unauthorized actions under the administrator's privileges. The vulnerability has been resolved in version 8.1.6, and as an interim measure, it is advisable to disable the customer-thread feature-flag to mitigate risks.

Affected Version(s)

PrestaShop >= 8.1.0, < 8.1.6

References

https://github.com/PrestaShop/PrestaShop/security/advisor...

x_refsource_CONFIRM

https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6

x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
May 7, 2024