CVE-2024-25841 is a Cross Site Scripting (XSS) vulnerability identified in the 'So Flexibilite' module (soflexibilite) of the Common-Services package for PrestaShop, specifically affecting versions prior to 4.1.26. XSS vulnerabilities arise when an application does not properly sanitize user-supplied input, allowing attackers to inject malicious scripts into web pages viewed by other users. In this case, the vulnerability permits a guest user—meaning an unauthenticated or authenticated customer—to inject arbitrary scripts. The CVSS 3.1 score is 5.9 (medium), with vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating that the attack requires local access (e.g., the attacker must have some form of access to the application interface, possibly through the web interface but not necessarily remote network access), low attack complexity, no privileges required, no user interaction needed, and impacts confidentiality, integrity, and availability to a limited extent. The vulnerability is classified under CWE-79, which is the standard identifier for XSS issues. No public exploits or patches are currently listed, but the module's maintainers have released version 4.1.26 which presumably addresses this issue. The vulnerability could allow attackers to steal session cookies, deface websites, or redirect users to malicious sites, thereby compromising user data and trust.

The impact of CVE-2024-25841 on organizations worldwide includes potential theft of sensitive user information such as session tokens, leading to account hijacking. Attackers could also manipulate website content to defraud users or distribute malware, damaging brand reputation and customer trust. Since the vulnerability affects an e-commerce module, it could disrupt online sales and customer experience, resulting in financial losses. The requirement for local access limits widespread remote exploitation, but attackers with access to the web interface or who can trick users into visiting crafted URLs could exploit this vulnerability. The medium severity rating reflects moderate risk; however, the broad use of PrestaShop in global e-commerce means many organizations could be exposed. Failure to address this vulnerability could also lead to compliance issues with data protection regulations if customer data is compromised.

To mitigate CVE-2024-25841, organizations should immediately upgrade the 'So Flexibilite' module to version 4.1.26 or later, where the vulnerability is patched. Until the patch is applied, implement strict input validation and sanitization on all user-supplied data fields within the module to prevent script injection. Deploy a robust Content Security Policy (CSP) to restrict the execution of unauthorized scripts. Monitor web server logs and application behavior for unusual or suspicious activity indicative of XSS attempts. Educate developers and administrators about secure coding practices to avoid similar vulnerabilities. Additionally, consider using web application firewalls (WAFs) configured to detect and block XSS payloads targeting PrestaShop modules. Regularly audit and test the e-commerce platform for security weaknesses to proactively identify and remediate vulnerabilities.