GHSA-45vm-3j38-7p78

Suggest an improvement
Source
https://github.com/advisories/GHSA-45vm-3j38-7p78
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-45vm-3j38-7p78/GHSA-45vm-3j38-7p78.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-45vm-3j38-7p78
Aliases
Published
2024-05-14T20:17:12Z
Modified
2024-05-24T12:12:41.267802Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
PrestaShop cross-site scripting via customer contact form in FO, through file upload
Details

Impact

Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0.

The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office.

Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right.

Patches

This vulnerability is patched in 8.1.6.

Workarounds

As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag.

Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team.

Database specific
{
    "nvd_published_at": "2024-05-14T16:17:28Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T20:17:12Z"
}
References

Affected packages

Packagist / prestashop/prestashop

Package

Name
prestashop/prestashop
Purl
pkg:composer/prestashop/prestashop

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.1.0
Fixed
8.1.6

Affected versions

8.*

8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5