CVE-2018-13784 in PrestaShop
Summary
by MITRE
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/02/2025
The vulnerability identified as CVE-2018-13784 affects PrestaShop versions prior to 1.6.1.20 and 1.7.x versions before 1.7.3.4, specifically targeting the cookie encryption mechanisms implemented in the Cookie.php, Rinjdael.php, and Blowfish.php files. This flaw represents a critical security weakness in the application's session management and authentication system, potentially allowing attackers to compromise user sessions and gain unauthorized access to administrative functionalities. The issue stems from improper handling of cryptographic operations within the cookie encryption framework, which forms a fundamental component of the platform's security architecture.
The technical implementation flaw involves weaknesses in how cryptographic keys are generated, managed, and applied during cookie encryption processes. When PrestaShop processes user authentication cookies, it relies on these vulnerable encryption libraries to protect session data and maintain user identity across requests. The improper encryption handling creates opportunities for attackers to decrypt sensitive cookie information, potentially extracting session identifiers, user credentials, or other confidential data that should remain protected. This vulnerability falls under the category of cryptographic weakness and specifically relates to improper implementation of encryption algorithms as classified by CWE-327, which addresses the use of weak or broken cryptographic algorithms.
The operational impact of this vulnerability extends beyond simple session hijacking, as successful exploitation could enable attackers to perform administrative actions on behalf of legitimate users. When attackers can decrypt or manipulate cookies, they may gain access to sensitive administrative interfaces, modify product catalogs, alter customer data, or even execute arbitrary code within the application context. The affected versions of PrestaShop typically serve e-commerce environments where user sessions contain valuable transactional data, personal information, and administrative privileges. This creates a significant risk for organizations operating these platforms, as compromised sessions could lead to financial losses, data breaches, and reputational damage.
Organizations utilizing affected PrestaShop versions should immediately implement mitigation strategies including immediate upgrades to the patched versions 1.6.1.20 and 1.7.3.4, which contain the necessary cryptographic fixes. Additional defensive measures include implementing proper session management policies, monitoring for suspicious authentication patterns, and ensuring that all encryption keys are properly generated and rotated. The vulnerability demonstrates the importance of following secure coding practices for cryptographic implementations and aligns with ATT&CK technique T1566, which covers credential access through session hijacking and authentication bypass methods. System administrators should also consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts targeting these specific encryption weaknesses.