CVE-2024-21627: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PrestaShop PrestaShop
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
AI Analysis
Technical Summary
CVE-2024-21627 is a high-severity cross-site scripting (XSS) vulnerability affecting PrestaShop, an open-source e-commerce platform widely used for online retail. The vulnerability arises from improper neutralization of input during web page generation, specifically due to the `isCleanHTML` method failing to detect certain event attributes in HTML content. This flaw allows malicious actors to inject and execute arbitrary JavaScript code within the context of the affected PrestaShop web application. The issue affects PrestaShop versions from 8.0.0 up to but not including 8.1.3, and all versions prior to 1.7.8.11. The vulnerability is rooted in the failure to properly sanitize user-supplied HTML input, particularly in legacy object models where fields of HTML type invoke the `isCleanHTML` method. Exploiting this vulnerability requires some level of authentication (PR:H) and user interaction (UI:R), but the attack can lead to a complete compromise of confidentiality and integrity, as indicated by the CVSS vector (C:H/I:H/A:N). The vulnerability does not impact availability. The recommended remediation is to upgrade to PrestaShop versions 8.1.3 or 1.7.8.11 or later, where the issue is patched. Alternatively, using the `HTMLPurifier` library to sanitize HTML input is advised, as it is already included as a dependency in PrestaShop. No known exploits are currently reported in the wild, but the high CVSS score (8.1) and the nature of the vulnerability make it a significant risk for e-commerce sites relying on vulnerable versions of PrestaShop.
Potential Impact
For European organizations operating e-commerce platforms using vulnerable versions of PrestaShop, this XSS vulnerability poses a serious risk. Successful exploitation could allow attackers to execute malicious scripts in the browsers of legitimate users, leading to theft of sensitive information such as session cookies, personal data, or payment details. This can result in account takeover, fraudulent transactions, and reputational damage. Given the high confidentiality and integrity impact, attackers could also manipulate displayed content, potentially defacing websites or injecting phishing content to deceive customers. The requirement for authentication and user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments with many users or administrators. Additionally, the vulnerability could be leveraged as a stepping stone for further attacks within the network. Compliance with GDPR and other European data protection regulations could be jeopardized if personal data is compromised, leading to legal and financial consequences. The absence of known exploits in the wild does not reduce the urgency, as the vulnerability is publicly disclosed and could be targeted soon.
Mitigation Recommendations
European organizations should prioritize upgrading PrestaShop installations to versions 8.1.3 or 1.7.8.11 or later, where the vulnerability is patched. If immediate upgrading is not feasible, implementing the `HTMLPurifier` library to sanitize all user-supplied HTML input is critical to mitigate the risk. Review and audit all custom and third-party modules that rely on the `isCleanHTML` method to ensure they do not process unsafe HTML content. Conduct thorough input validation and output encoding on all user inputs, especially those that can affect HTML content generation. Limit administrative access and enforce strong authentication mechanisms to reduce the likelihood of exploitation requiring authentication. Monitor web application logs for suspicious activity indicative of XSS attempts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Finally, educate developers and administrators about secure coding practices related to HTML input handling to prevent similar vulnerabilities in the future.
Affected Countries
France, Germany, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden
CVE-2024-21627: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PrestaShop PrestaShop
Description
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
AI-Powered Analysis
Technical Analysis
CVE-2024-21627 is a high-severity cross-site scripting (XSS) vulnerability affecting PrestaShop, an open-source e-commerce platform widely used for online retail. The vulnerability arises from improper neutralization of input during web page generation, specifically due to the `isCleanHTML` method failing to detect certain event attributes in HTML content. This flaw allows malicious actors to inject and execute arbitrary JavaScript code within the context of the affected PrestaShop web application. The issue affects PrestaShop versions from 8.0.0 up to but not including 8.1.3, and all versions prior to 1.7.8.11. The vulnerability is rooted in the failure to properly sanitize user-supplied HTML input, particularly in legacy object models where fields of HTML type invoke the `isCleanHTML` method. Exploiting this vulnerability requires some level of authentication (PR:H) and user interaction (UI:R), but the attack can lead to a complete compromise of confidentiality and integrity, as indicated by the CVSS vector (C:H/I:H/A:N). The vulnerability does not impact availability. The recommended remediation is to upgrade to PrestaShop versions 8.1.3 or 1.7.8.11 or later, where the issue is patched. Alternatively, using the `HTMLPurifier` library to sanitize HTML input is advised, as it is already included as a dependency in PrestaShop. No known exploits are currently reported in the wild, but the high CVSS score (8.1) and the nature of the vulnerability make it a significant risk for e-commerce sites relying on vulnerable versions of PrestaShop.
Potential Impact
For European organizations operating e-commerce platforms using vulnerable versions of PrestaShop, this XSS vulnerability poses a serious risk. Successful exploitation could allow attackers to execute malicious scripts in the browsers of legitimate users, leading to theft of sensitive information such as session cookies, personal data, or payment details. This can result in account takeover, fraudulent transactions, and reputational damage. Given the high confidentiality and integrity impact, attackers could also manipulate displayed content, potentially defacing websites or injecting phishing content to deceive customers. The requirement for authentication and user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments with many users or administrators. Additionally, the vulnerability could be leveraged as a stepping stone for further attacks within the network. Compliance with GDPR and other European data protection regulations could be jeopardized if personal data is compromised, leading to legal and financial consequences. The absence of known exploits in the wild does not reduce the urgency, as the vulnerability is publicly disclosed and could be targeted soon.
Mitigation Recommendations
European organizations should prioritize upgrading PrestaShop installations to versions 8.1.3 or 1.7.8.11 or later, where the vulnerability is patched. If immediate upgrading is not feasible, implementing the `HTMLPurifier` library to sanitize all user-supplied HTML input is critical to mitigate the risk. Review and audit all custom and third-party modules that rely on the `isCleanHTML` method to ensure they do not process unsafe HTML content. Conduct thorough input validation and output encoding on all user inputs, especially those that can affect HTML content generation. Limit administrative access and enforce strong authentication mechanisms to reduce the likelihood of exploitation requiring authentication. Monitor web application logs for suspicious activity indicative of XSS attempts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Finally, educate developers and administrators about secure coding practices related to HTML input handling to prevent similar vulnerabilities in the future.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2023-12-29T03:00:44.954Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683f0dc1182aa0cae27ff33c
Added to database: 6/3/2025, 2:59:13 PM
Last enriched: 7/4/2025, 5:12:54 AM
Last updated: 8/11/2025, 9:11:22 PM
Views: 13
Related Threats
CVE-2025-8988: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8987: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8986: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-31987: CWE-405 Asymmetric Resource Consumption in HCL Software Connections Docs
MediumCVE-2025-8985: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.