CVE-2024-21628 MEDIUM

CVE-2024-21628: XSS can be stored in DB from "add a message form" in order detail page (FO)

Vendor Prestashop
Product PrestaShop
Weakness CWE-79 · XSS
Published January 2, 2024
Last update November 14, 2024
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:L

What the vulnerability does

01Description

PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue.

Key dates

02Disclosure timeline

January 2, 2024 CVE published
November 14, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-3533 Campcodes Complete Online Student Management System academic_year_view.php cross site scripting CVE-2024-13238 Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002 CVE-2026-7377 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab CVE-2019-25423 Comodo Dome Firewall 2.7.0 Cross-Site Scripting via proxyconfig CVE-2025-58452 WeGIA vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint 'listar_despachos.php' parameter 'id_memorando'