CVE-2024-21627

PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*
cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*

History

08 Jan 2024, 19:23

Type Values Removed Values Added
CPE cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*
CWE CWE-20
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
First Time Prestashop prestashop
Prestashop
References () https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq - () https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq - Vendor Advisory
References () https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883 - () https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883 - Patch
References () https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129 - () https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129 - Patch

02 Jan 2024, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-02 21:15

Updated : 2024-02-28 20:54


NVD link : CVE-2024-21627

Mitre link : CVE-2024-21627

CVE.ORG link : CVE-2024-21627


JSON object : View

Products Affected

prestashop

  • prestashop
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-20

Improper Input Validation