CVE-2024-25841: Guest Cross Site Scripting (XSS) Injection Vulnerability Detected in the "So Flexibilite" Module for PrestaShop < 4.1.26

A recent vulnerability, identified as CVE-2024-25841, has been discovered in the "So Flexibilite" (soflexibilite) module, developed by Common-Services for PrestaShop < 4.1.26. The vulnerability puts the concerned websites at risk, as it allows a guest (authenticated customer) to exploit Cross Site Scripting (XSS) Injection. This post will provide a comprehensive overview of the issue, examples of code snippets that demonstrate the vulnerability, and links to original references for a better understanding.

What is Cross Site Scripting (XSS)?

Cross Site Scripting (XSS) is a web application vulnerability that enables attackers to inject malicious scripts into web pages viewed by other users. As a consequence, the attacker can potentially gain access to sensitive information, change a webpage's appearance, or perform other actions on behalf of the victim.

Exploit Details

In the PrestaShop "So Flexibilite" module, an authenticated customer, or a guest, can perform XSS injection. The vulnerability is likely due to insufficient sanitization and validation of user-provided input fields in the module's code. When exploited, it can allow attackers to execute malicious scripts within the victim's browser sessions.

The following code snippet demonstrates an example of this vulnerability

<!-- This is a simple example of an XSS attack using the So Flexibilite module -->
<script>
  var payload = "<img src='x' onerror='alert(\"XSS\")'>";
  var inputElement = document.querySelector(".soflexibilite-input");
  inputElement.value = payload;
  inputElement.form.submit();
</script>

In this example, an attacker crafts a malicious payload containing an XSS attack <img src='x' onerror='alert("XSS")'>. This script will trigger an alert in the user's browser when the image fails to load. The attacker then sets the payload as the value of a target input element in the "So Flexibilite" module and submits the form.

When a victim logs in as a guest or an authenticated customer and accesses the affected webpage, the browser will process the malicious payload and execute the attacker's script.

The vulnerability was published in the following sources

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25841
- National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-25841

Mitigation and Recommendations

To mitigate the risk posed by CVE-2024-25841, it is recommended that users of the "So Flexibilite" module for PrestaShop update to the latest version (4.1.26 or higher). In addition, web application developers and administrators should implement strong input validation and sanitization mechanisms to prevent XSS attacks.

Conclusion

The CVE-2024-25841 vulnerability in the "So Flexibilite" module for PrestaShop poses a significant risk to websites that utilize this module. By taking advantage of the vulnerability, a malicious attacker can conduct XSS attacks on unsuspecting users. Therefore, it is essential for web application developers and administrators to remain vigilant and take appropriate measures to mitigate such risks. Updating the affected module, enhancing input validation techniques, and ensuring proper sanitization of user-provided data are essential steps in minimizing the impact of potential cyber-attacks.

Timeline

Published on: 02/27/2024 17:15:12 UTC
Last modified on: 02/28/2024 14:06:45 UTC