CVE-2024-34716

Description

### Impact Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0. The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. ### Patches This vulnerability is patched in 8.1.6. ### Workarounds As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag. Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team.

How to fix CVE-2024-34716

To remediate CVE-2024-34716, upgrade the affected package to a fixed version below.

• —upgrade to 8.1.6 or later
• —upgrade to 8.1.6 or later

Is CVE-2024-34716 being exploited?

Moderate — EPSS is 42.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• >= 8.1.0, < 8.1.6
• >= 8.1.0, < 8.1.6

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-34716
• PATCHgithub.com/PrestaShop/PrestaShop
• WEBgithub.com/PrestaShop/PrestaShop/commit/a248898655e56cbcc6c308a5f1c8752231624bae
• WEBgithub.com/PrestaShop/PrestaShop/releases/tag/8.1.6