CVE-2024-34716: PrestaShop XSS Vulnerability

CVE-2024-34716 Overview

CVE-2024-34716 is a Cross-Site Scripting (XSS) vulnerability affecting PrestaShop, a widely-used open source e-commerce web application. The vulnerability is present in PrestaShop installations where the customer-thread feature flag is enabled, impacting versions from 8.1.0 up to but not including 8.1.6.

When the customer thread feature flag is enabled, attackers can exploit the front-office contact form to upload malicious files containing XSS payloads. When an administrator opens the attached file in the back office, the injected script executes within the administrator's browser session, potentially compromising the entire e-commerce platform.

Critical Impact
Successful exploitation allows attackers to access administrator session tokens and security credentials, enabling them to perform any authenticated action within the scope of the administrator's privileges, including data theft, configuration changes, and full platform compromise.

Affected Products

PrestaShop versions 8.1.0 through 8.1.5
PrestaShop installations with customer-thread feature flag enabled
E-commerce platforms running vulnerable PrestaShop versions

Discovery Timeline

2024-05-14 - CVE-2024-34716 published to NVD
2025-01-21 - Last updated in NVD database

Technical Details for CVE-2024-34716

Vulnerability Analysis

This Cross-Site Scripting vulnerability (CWE-79) exploits insufficient input validation in PrestaShop's customer thread file upload functionality. The attack requires user interaction—specifically, an administrator must open the malicious attachment in the back office for the XSS payload to execute.

The vulnerability exists exclusively in the context of the customer-thread feature, which allows customers to communicate with store administrators via file attachments through the front-office contact form. When this feature is enabled, the file handling mechanism fails to properly sanitize uploaded content, allowing malicious scripts to be embedded within files.

Upon execution, the injected script operates within the administrator's authenticated session context. This grants the attacker access to session tokens and security credentials, effectively inheriting the full privilege set of the compromised administrator account.

Root Cause

The root cause stems from improper input validation and output encoding in the file handling component of PrestaShop's customer thread feature. The application fails to adequately sanitize file contents before rendering them in the administrative interface, allowing JavaScript code embedded in uploaded files to execute when viewed by an administrator.

Attack Vector

The attack follows a stored XSS pattern with the following exploitation flow:

Initial Access: Attacker uses the front-office contact form (with customer-thread feature enabled)
Payload Delivery: Attacker uploads a crafted file containing malicious JavaScript
Persistence: The malicious file is stored on the server
Trigger: Administrator opens the attached file in the back office
Execution: XSS payload executes in the administrator's browser context
Exfiltration: Script accesses session tokens and security credentials
Exploitation: Attacker performs authenticated actions using stolen credentials

The vulnerability requires network access and user interaction (administrator opening the file), but requires no authentication for the initial file upload through the customer contact form.

Detection Methods for CVE-2024-34716

Indicators of Compromise

Suspicious file uploads through the customer contact form containing embedded JavaScript or HTML content
Unusual administrative actions or configuration changes following contact form submissions
Administrator session token usage from unexpected IP addresses or locations
Anomalous API calls or back office operations correlating with recent file attachment views

Detection Strategies

Monitor file uploads through the customer thread feature for potentially malicious content patterns
Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
Review back office access logs for unusual activity patterns following file attachment viewing
Deploy web application firewalls (WAF) with rules to detect XSS payloads in uploaded files

Monitoring Recommendations

Enable detailed logging for all file upload operations and back office file access events
Configure alerts for administrative session anomalies such as multiple concurrent sessions or geographic impossibilities
Monitor for JavaScript execution attempts from user-uploaded content directories
Implement file integrity monitoring on uploaded attachment storage locations

How to Mitigate CVE-2024-34716

Immediate Actions Required

Upgrade PrestaShop to version 8.1.6 or later immediately
If immediate upgrade is not possible, disable the customer-thread feature flag as a temporary workaround
Review recent contact form submissions and uploaded attachments for suspicious content
Audit administrator account activity for signs of unauthorized access or configuration changes
Consider invalidating and rotating all administrator session tokens

Patch Information

PrestaShop has released version 8.1.6 which addresses this vulnerability. The patch is available through the official PrestaShop 8.1.6 Release. Organizations should upgrade to this version or later to receive the security fix.

For detailed technical information about the vulnerability and the patch, refer to the GitHub Security Advisory GHSA-45vm-3j38-7p78.

Workarounds

Disable the customer-thread feature flag through PrestaShop's configuration settings until the upgrade can be completed
Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Deploy web application firewall rules to filter potentially malicious file uploads
Restrict administrator access to uploaded attachments to isolated or sandboxed browser environments
Consider implementing additional file type validation and content scanning for uploads

bash

# Disable customer-thread feature flag in PrestaShop configuration
# Access PrestaShop Admin Panel > Advanced Parameters > Feature Flags
# Set customer-thread feature to "Disabled"

# Alternative: Modify configuration via database
# UPDATE ps_configuration SET value = '0' WHERE name = 'PS_CUSTOMER_THREAD_FEATURE';

CVE-2024-34716 Overview

Critical Impact
Successful exploitation allows attackers to access administrator session tokens and security credentials, enabling them to perform any authenticated action within the scope of the administrator's privileges, including data theft, configuration changes, and full platform compromise.

Affected Products

PrestaShop versions 8.1.0 through 8.1.5
PrestaShop installations with customer-thread feature flag enabled
E-commerce platforms running vulnerable PrestaShop versions

Discovery Timeline

2024-05-14 - CVE-2024-34716 published to NVD
2025-01-21 - Last updated in NVD database

Technical Details for CVE-2024-34716

Vulnerability Analysis

Root Cause

Attack Vector

The attack follows a stored XSS pattern with the following exploitation flow:

Initial Access: Attacker uses the front-office contact form (with customer-thread feature enabled)
Payload Delivery: Attacker uploads a crafted file containing malicious JavaScript
Persistence: The malicious file is stored on the server
Trigger: Administrator opens the attached file in the back office
Execution: XSS payload executes in the administrator's browser context
Exfiltration: Script accesses session tokens and security credentials
Exploitation: Attacker performs authenticated actions using stolen credentials

The vulnerability requires network access and user interaction (administrator opening the file), but requires no authentication for the initial file upload through the customer contact form.

Detection Methods for CVE-2024-34716

Indicators of Compromise

Suspicious file uploads through the customer contact form containing embedded JavaScript or HTML content
Unusual administrative actions or configuration changes following contact form submissions
Administrator session token usage from unexpected IP addresses or locations
Anomalous API calls or back office operations correlating with recent file attachment views

Detection Strategies

Monitor file uploads through the customer thread feature for potentially malicious content patterns
Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
Review back office access logs for unusual activity patterns following file attachment viewing
Deploy web application firewalls (WAF) with rules to detect XSS payloads in uploaded files

Monitoring Recommendations

Enable detailed logging for all file upload operations and back office file access events
Configure alerts for administrative session anomalies such as multiple concurrent sessions or geographic impossibilities
Monitor for JavaScript execution attempts from user-uploaded content directories
Implement file integrity monitoring on uploaded attachment storage locations

How to Mitigate CVE-2024-34716

Immediate Actions Required

Upgrade PrestaShop to version 8.1.6 or later immediately
If immediate upgrade is not possible, disable the customer-thread feature flag as a temporary workaround
Review recent contact form submissions and uploaded attachments for suspicious content
Audit administrator account activity for signs of unauthorized access or configuration changes
Consider invalidating and rotating all administrator session tokens

Patch Information

For detailed technical information about the vulnerability and the patch, refer to the GitHub Security Advisory GHSA-45vm-3j38-7p78.

Workarounds

Disable the customer-thread feature flag through PrestaShop's configuration settings until the upgrade can be completed
Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Deploy web application firewall rules to filter potentially malicious file uploads
Restrict administrator access to uploaded attachments to isolated or sandboxed browser environments
Consider implementing additional file type validation and content scanning for uploads

bash

# Disable customer-thread feature flag in PrestaShop configuration
# Access PrestaShop Admin Panel > Advanced Parameters > Feature Flags
# Set customer-thread feature to "Disabled"

# Alternative: Modify configuration via database
# UPDATE ps_configuration SET value = '0' WHERE name = 'PS_CUSTOMER_THREAD_FEATURE';

CVE-2024-34716: PrestaShop XSS Vulnerability

CVE-2024-34716 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-34716

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-34716

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-34716

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-34716: PrestaShop XSS Vulnerability

CVE-2024-34716 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-34716

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-34716

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-34716

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform