CVE-2024-34716
Published: 14 May 2024
Summary
CVE-2024-34716 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Prestashop Prestashop. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
PrestaShop, an open source e-commerce web application, contains a stored cross-site scripting vulnerability (CWE-79) in versions 8.1.0 through 8.1.5. The flaw is present only when the customer-thread feature flag is enabled and manifests through the front-office contact form, allowing an attacker to upload a file containing malicious JavaScript that executes in the back-office context when an administrator views the attachment.
An unauthenticated attacker can exploit the issue by submitting a crafted file via the contact form. Once an administrator opens the file in the back office, the injected script gains access to the administrator’s session and security token, enabling arbitrary actions within the scope of the administrator’s privileges, including potential account takeover or further administrative operations.
Official advisories and release notes for PrestaShop 8.1.6 state that the vulnerability is resolved in that version. The recommended workaround for instances that cannot be immediately updated is to disable the customer-thread feature flag. The associated EPSS score remains elevated near 0.42 with no material post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1402
Vulnerability details
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is…
more
enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.