Cyber Resilience

CVE-2024-34716

Critical

Published: 14 May 2024

Published
14 May 2024
Modified
21 January 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.4232 97.5th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-34716 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Prestashop Prestashop. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

PrestaShop, an open source e-commerce web application, contains a stored cross-site scripting vulnerability (CWE-79) in versions 8.1.0 through 8.1.5. The flaw is present only when the customer-thread feature flag is enabled and manifests through the front-office contact form, allowing an attacker to upload a file containing malicious JavaScript that executes in the back-office context when an administrator views the attachment.

An unauthenticated attacker can exploit the issue by submitting a crafted file via the contact form. Once an administrator opens the file in the back office, the injected script gains access to the administrator’s session and security token, enabling arbitrary actions within the scope of the administrator’s privileges, including potential account takeover or further administrative operations.

Official advisories and release notes for PrestaShop 8.1.6 state that the vulnerability is resolved in that version. The recommended workaround for instances that cannot be immediately updated is to disable the customer-thread feature flag. The associated EPSS score remains elevated near 0.42 with no material post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is…

more

enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

prestashop
prestashop
8.1.0 — 8.1.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References