CVE-2024-34716: Critical Security Vulnerability Uncovered in PrestaShop
The PrestaShop project, a leading open-source e-commerce platform powering over 300,000 web stores globally since 2007, has recently issued a security advisory revealing two significant vulnerabilities. PrestaShop, renowned for its customizability, support for major payment services, multilingual and localized options, and fully responsive design, is urging users to apply the latest patches to mitigate these security risks.
CVE-2024-34717 (CVSS 5.4): Anonymous Invoice Access
The first vulnerability, tracked as CVE-2024-34717, allows unauthorized individuals to download invoices belonging to other customers. This breach of privacy could expose sensitive financial information and customer data.
The vulnerability was discovered by Samuel Bodevin, who reported it to the PrestaShop team for prompt action.
CVE-2024-34716 (CVSS 9.7): Cross-Site Scripting (XSS) Attack
The second vulnerability, identified as CVE-2024-34716, is a cross-site scripting (XSS) attack that enables hackers to inject malicious code into a PrestaShop store’s customer contact form. This code can then be executed when an administrator views the attached file, potentially granting the attacker access to the entire store’s backend and sensitive information.
Ayoub AIT ELMOKHTAR identified this severe vulnerability and reported it to the PrestaShop team.
Affected Versions and Patches
Both vulnerabilities affect PrestaShop version 8.1.5 and above. PrestaShop has released version 8.1.6, which includes patches for both issues. It is strongly advised that all PrestaShop users immediately upgrade to this latest version to protect their stores and customer data.
Workaround for CVE-2024-34716
For those unable to immediately upgrade, a temporary workaround for CVE-2024-34716 is available. Disabling the “customer-thread feature-flag” can mitigate the risk of the XSS attack until the patch is applied.