Plattform
php
Komponente
prestashop
Behoben in
8.1.1
CVE-2024-34716 describes a critical cross-site scripting (XSS) vulnerability affecting PrestaShop versions 8.1.0 and later, up to 8.1.5. This vulnerability allows attackers to inject malicious scripts that can be executed when an administrator opens an attached file in the back office, potentially leading to session hijacking and unauthorized actions. The vulnerability is triggered specifically when the customer-thread feature flag is enabled through the front-office contact form. A fix is available in PrestaShop 8.1.6.
The impact of this XSS vulnerability is significant. A successful exploit allows an attacker to upload a malicious file containing JavaScript code via the contact form. When an administrator opens this file in the back office, the script executes within the administrator's session context. This grants the attacker the ability to steal the administrator's session cookie, effectively impersonating the administrator and performing any action they are authorized to do. This includes accessing sensitive customer data, modifying product information, processing fraudulent orders, and potentially gaining complete control over the e-commerce platform. The attack surface is limited to PrestaShop installations with the customer-thread feature enabled, but this feature is commonly used for customer support interactions, increasing the likelihood of exploitation.
CVE-2024-34716 was publicly disclosed on May 14, 2024. There is currently no indication of active exploitation in the wild, but the vulnerability's critical severity and the availability of a public attack vector suggest a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation.
PrestaShop installations running versions 8.1.0 through 8.1.5 are at direct risk. Specifically, those deployments that have enabled the customer-thread feature flag through the front-office contact form are the most vulnerable. Shared hosting environments running PrestaShop are also at increased risk due to the potential for cross-tenant contamination.
• php: Examine PrestaShop installation logs for suspicious file uploads via the contact form. Look for unusual file extensions or filenames that might indicate malicious code.
grep -i 'contact form upload' /var/log/prestashop/error.log• generic web: Monitor access logs for requests to the contact form endpoint with unusual file uploads. Check response headers for signs of XSS payloads.
curl -I https://example.com/contact_form.php?attachment=malicious.php• wordpress / composer / npm: (Not applicable - PrestaShop is PHP-based, not WordPress/Composer/npm)
• database (mysql, redis, mongodb, postgresql): (Not applicable - vulnerability is not database-specific)
• windows / supply-chain: (Not applicable - PrestaShop is not a Windows application)
• linux / server: Monitor system processes for unusual PHP scripts being executed, particularly those related to file handling or session management. Use ps aux | grep php to identify running PHP processes.
disclosure
patch
Exploit-Status
EPSS
36.66% (97% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-34716 is to immediately upgrade PrestaShop to version 8.1.6 or later. This version includes a patch that addresses the underlying vulnerability. If upgrading is not immediately feasible, consider disabling the customer-thread feature flag through the front-office contact form to remove the attack vector. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious file uploads, particularly those containing JavaScript code, can provide an additional layer of defense. Regularly review PrestaShop's security recommendations and apply any relevant configuration changes to harden the platform.
Aktualisieren Sie PrestaShop auf Version 8.1.6 oder höher. Alternativ können Sie die Funktion 'customer-thread' in den PrestaShop-Einstellungen deaktivieren, bis Sie das Update durchführen können.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-34716 is a critical XSS vulnerability in PrestaShop versions 8.1.0 through 8.1.5. It allows attackers to inject malicious scripts via the contact form when the customer-thread feature is enabled.
You are affected if you are running PrestaShop versions 8.1.0 through 8.1.5 and have the customer-thread feature enabled.
Upgrade PrestaShop to version 8.1.6 or later. If immediate upgrade is not possible, disable the customer-thread feature flag.
There is no current evidence of active exploitation, but the vulnerability's severity and ease of exploitation suggest a high probability of future attacks.
Refer to the official PrestaShop security advisory on their website: https://www.prestashop.com/en/security
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.