CVE-2024-21627

Some attribute not escaped in Validate::isCleanHTML method

Description

PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.

References

Link	Tags
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq	vendor advisory
https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129	patch
https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883	patch

Frequently Asked Questions

What is the severity of CVE-2024-21627?: CVE-2024-21627 has been scored as a high severity vulnerability.
How to fix CVE-2024-21627?: To fix CVE-2024-21627, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-21627 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-21627 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-21627?: CVE-2024-21627 affects PrestaShop PrestaShop.

Description

Categories

CWE-20 – Improper Input Validation

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions