CVE-2024-21627 in PrestaShopinfo

Summary

by MITRE • 01/02/2024

PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/23/2024

CVE-2024-21627 represents a cross-site scripting vulnerability affecting PrestaShop e-commerce platforms prior to versions 8.1.3 and 1.7.8.11. This vulnerability stems from insufficient validation within the `isCleanHTML` method which fails to properly detect certain event attributes in HTML content. The flaw falls under CWE-79 - Cross-site Scripting and specifically manifests as a failure in input sanitization mechanisms that should prevent malicious script execution. The vulnerability impacts modules that rely on the `isCleanHTML` method for HTML validation, creating potential attack vectors where malicious actors could inject harmful JavaScript code through user-submitted content.

The technical implementation of this vulnerability occurs when event attributes such as onclick, onmouseover, or other JavaScript handlers are not properly filtered by the `isCleanHTML` method. These attributes can bypass the sanitization process and remain embedded in HTML content, allowing them to execute when the content is rendered in web browsers. The issue is particularly concerning because it affects core platform functionality where user-generated content is processed, and the vulnerability exists in the legacy object models where HTML type fields automatically invoke the `isCleanHTML` method without adequate protection. This creates a chain of potential exploitation where a single vulnerable module can compromise the entire platform's security posture.

The operational impact of CVE-2024-21627 extends beyond simple XSS attacks as it can enable attackers to perform session hijacking, defacement of e-commerce sites, data theft, and potentially escalate privileges within the platform. Attackers could exploit this vulnerability to inject malicious scripts that target authenticated users, leading to unauthorized access to customer data, payment information, or administrative functions. The vulnerability affects the core integrity of the e-commerce platform by allowing persistent malicious code execution, which can be particularly damaging in retail environments where customer trust and data security are paramount. This weakness also aligns with ATT&CK technique T1531 - Account Access Removal and T1059.001 - Command and Scripting Interpreter, as it provides pathways for malicious code execution and potential privilege escalation.

Organizations using affected PrestaShop versions should immediately implement the patch available in versions 8.1.3 and 1.7.8.11 to address the root cause of the vulnerability. The recommended workaround of implementing the HTMLPurifier library provides an additional layer of protection and aligns with security best practices for HTML sanitization. The HTMLPurifier library offers more robust and comprehensive filtering capabilities compared to the basic `isCleanHTML` method, effectively addressing the gaps in attribute detection that enable XSS exploitation. Security teams should also conduct comprehensive audits of all modules that utilize the `isCleanHTML` method, particularly focusing on legacy object models where HTML type fields automatically invoke this validation. Additionally, implementing proper input validation at multiple layers, including client-side and server-side validation, can provide defense-in-depth protection against similar vulnerabilities. The vulnerability underscores the importance of maintaining up-to-date security patches and implementing comprehensive security testing procedures for all web applications that process user-generated content.

Responsible

GitHub, Inc.

Reservation

12/29/2023

Disclosure

01/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00519

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!