CVE-2022-21686 — Server Side Twig Template Injection

Description

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

How to fix CVE-2022-21686

To remediate CVE-2022-21686, upgrade the affected package to a fixed version below.

—upgrade to 1.7.8.3 or later

Is CVE-2022-21686 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.7.0.0, < 1.7.8.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-21686
WEBgithub.com/PrestaShop/PrestaShop
WEBgithub.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21
WEBgithub.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3