Platform
php
Component
prestashop
Fixed in
1.5.1
CVE-2021-21308 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in PrestaShop, a popular open-source e-commerce platform. This flaw allows an attacker to initiate unauthorized requests on behalf of the server, potentially leading to sensitive data exposure or further exploitation. The vulnerability affects versions 1.5.0 through 1.7.7.1, and a fix is available in version 1.7.7.2.
The SSRF vulnerability in PrestaShop allows an attacker to craft malicious requests that the server will execute. This can be exploited to access internal resources that are not directly accessible from the outside, such as internal APIs, databases, or even other systems within the same network. An attacker could potentially read sensitive configuration files, access customer data, or even trigger actions on other systems. The impact is amplified if the PrestaShop instance is deployed in an environment with privileged access or connected to other critical systems. While the description mentions 'executing customer commands,' the precise nature of this command execution requires further investigation, but the SSRF vector provides a significant attack surface.
CVE-2021-21308 was publicly disclosed on February 26, 2021. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting the SSRF vulnerability.
Exploit Status
EPSS
0.31% (54% percentile)
CVSS Vector
The primary mitigation for CVE-2021-21308 is to upgrade PrestaShop to version 1.7.7.2 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict outbound network access from the PrestaShop server using a Web Application Firewall (WAF) or proxy to block suspicious requests. Carefully review and restrict the allowed protocols and domains that PrestaShop can access. Monitor PrestaShop logs for unusual outbound requests that could indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability and verifying that the request is blocked.
Update PrestaShop to version 1.7.7.2 or higher. This update corrects the improper session management that allows attackers to execute commands as customers. It is recommended to create a backup before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-21308 is a Server-Side Request Forgery (SSRF) vulnerability in PrestaShop versions 1.5.0 to 1.7.7.1, allowing attackers to initiate unauthorized requests.
Yes, if you are running PrestaShop versions 1.5.0 through 1.7.7.1, you are vulnerable to this SSRF vulnerability.
Upgrade PrestaShop to version 1.7.7.2 or later to resolve the vulnerability. Implement WAF rules as a temporary workaround.
While there's no confirmed active exploitation, public proof-of-concept exploits exist, making exploitation possible.
Refer to the PrestaShop security advisory for detailed information and updates: https://blog.prestashop.com/security-vulnerability-ssrf-cve-2021-21308
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.