Protect Your PrestaShop Store from Cross-Site Scripting Attacks

CVECVE-2024-21627
CVSScvssV3_1: 8.1
SourceCVE-2024-21627

PrestaShop is a popular open source e-commerce platform used by many online stores. Unfortunately, versions prior to 8.1.3 and 1.7.8.11 are affected by a cross-site scripting (XSS) vulnerability.

XSS attacks work by injecting malicious scripts into web pages viewed by other users. On PrestaShop, attackers could craft special HTML or JavaScript code that would be executed in users’ browsers when they visit an affected site. This allows the attacker to steal users’ login cookies and other sensitive information.

The vulnerability lies in PrestaShop’s `isCleanHTML` method, which is used to sanitize HTML content but fails to detect and remove some malicious script tags. Attackers could exploit this by posting crafted messages or reviews on a store containing hidden XSS payloads.

The good news is PrestaShop has released patches to fix this in versions 8.1.3 and 1.7.8.11. Store owners are advised to update immediately. As an additional precaution, using an HTML sanitization library like HTMLPurifier is recommended to filter any unsanitized user inputs.

To stay protected, keep your PrestaShop installation up-to-date with the latest security fixes. Also be wary of any suspicious messages or reviews on your site that could contain hidden scripts. Taking these steps will help block XSS attacks and keep your store and customers safe.

References