CVE-2022-21686 - Twig Code Injection in PrestaShop Back Office (Simple Exploit Analysis)

PrestaShop is a very popular open-source e-commerce platform that’s been powering thousands of online stores worldwide. But like many complex platforms, it has its share of security issues. In this article, we'll break down CVE-2022-21686, a code injection vulnerability affecting PrestaShop versions from 1.7.. to 1.7.8.3, focusing on how it works, how it’s exploited, and what you need to do to stay safe.

What is CVE-2022-21686?

CVE-2022-21686 is a vulnerability that lets an attacker inject Twig template code into the PrestaShop back office if it’s using the "legacy" layout. Twig is a PHP templating engine used by PrestaShop and many other Symfony apps to safely render dynamic content—but in the wrong hands, it can run dangerous commands.

Versions Affected

| Software    | Affected Versions    | Patched |
|-------------|---------------------|---------|
| PrestaShop  | 1.7.. - 1.7.8.3   | 1.7.8.3 |

How Does the Vulnerability Work?

If an attacker is able to inject Twig code anywhere that PrestaShop's back office later renders, their code will get executed with the privileges of the PHP process running PrestaShop.

Example Consequence:  
- The attacker could potentially fetch user data, steal admin session cookies, or even run server commands via dangerous Twig functions (if not sufficiently restricted).

Prerequisites

- Access to any spot in the PrestaShop back office that accepts user input and later renders it via Twig in the legacy layout.
- In some environments, it might require low-privileged staff access or exploiting a separate bug that allows injecting data into affected fields.

Sample Exploit (Twig Injection)

Suppose there is a profile field in the shop admin that gets displayed using Twig. An attacker could inject:

{{ 7*7 }}

When the admin loads the page, instead of seeing their profile, they see 49, showing that the code executed.

But it doesn’t stop there—for more dangerous actions, an attacker might inject

{{ system('ls /') }}

Depending on PHP settings and security restrictions, this could run a shell ls / command and display directory output.

IMPORTANT: This is just a simplified example for educational purposes. The real risk is that attackers can chain this with other attacks, gaining complete control over the server or database.

Here’s a Python-like pseudocode to illustrate what might be wrong

// Unsafe:
echo $twig->render('admin_info.html.twig', [
    'userField' => $_POST['userinput']
]);
// If userinput is not sanitized, any Twig code will run!

Official Patch and Fix

If you're running any PrestaShop between 1.7.. and 1.7.8.3, update now!  
There are no known workarounds—only upgrading fixes the issue.

Fixed version: 1.7.8.3

- Official Security Release Note
- GitHub Advisory

Upgrade PrestaShop to 1.7.8.3 or above as soon as you can.

2. Review access logs for unusual activity—look for any payloads with Twig curly braces {{ or {%.

Summary

CVE-2022-21686 is a critical vulnerability in PrestaShop's admin panel that lets an attacker run arbitrary Twig code on your server if you’re using the legacy layout. With no workaround available, upgrading is the only way to secure yourself.

Further Reading

- PrestaShop Official Site
- Twig Documentation
- SSWG Advisory

Timeline

Published on: 01/26/2022 20:15:00 UTC
Last modified on: 02/04/2022 16:21:00 UTC