Platform
php
Component
prestashop
Fixed in
8.1.1
CVE-2024-34716 describes a critical cross-site scripting (XSS) vulnerability affecting PrestaShop versions 8.1.0 and later, up to 8.1.5. This vulnerability allows attackers to inject malicious scripts that can be executed when an administrator opens an attached file in the back office, potentially leading to session hijacking and unauthorized actions. The vulnerability is triggered specifically when the customer-thread feature flag is enabled through the front-office contact form. A fix is available in PrestaShop 8.1.6.
The impact of this XSS vulnerability is significant. A successful exploit allows an attacker to upload a malicious file containing JavaScript code via the contact form. When an administrator opens this file in the back office, the script executes within the administrator's session context. This grants the attacker the ability to steal the administrator's session cookie, effectively impersonating the administrator and performing any action they are authorized to do. This includes accessing sensitive customer data, modifying product information, processing fraudulent orders, and potentially gaining complete control over the e-commerce platform. The attack surface is limited to PrestaShop installations with the customer-thread feature enabled, but this feature is commonly used for customer support interactions, increasing the likelihood of exploitation.
CVE-2024-34716 was publicly disclosed on May 14, 2024. There is currently no indication of active exploitation in the wild, but the vulnerability's critical severity and the availability of a public attack vector suggest a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation.
Exploit Status
EPSS
36.66% (97% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-34716 is to immediately upgrade PrestaShop to version 8.1.6 or later. This version includes a patch that addresses the underlying vulnerability. If upgrading is not immediately feasible, consider disabling the customer-thread feature flag through the front-office contact form to remove the attack vector. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious file uploads, particularly those containing JavaScript code, can provide an additional layer of defense. Regularly review PrestaShop's security recommendations and apply any relevant configuration changes to harden the platform.
Update PrestaShop to version 8.1.6 or higher. Alternatively, disable the 'customer-thread' feature in PrestaShop settings until you can perform the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-34716 is a critical XSS vulnerability in PrestaShop versions 8.1.0 through 8.1.5. It allows attackers to inject malicious scripts via the contact form when the customer-thread feature is enabled.
You are affected if you are running PrestaShop versions 8.1.0 through 8.1.5 and have the customer-thread feature enabled.
Upgrade PrestaShop to version 8.1.6 or later. If immediate upgrade is not possible, disable the customer-thread feature flag.
There is no current evidence of active exploitation, but the vulnerability's severity and ease of exploitation suggest a high probability of future attacks.
Refer to the official PrestaShop security advisory on their website: https://www.prestashop.com/en/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.