CVE-2022-21686 – This vulnerability allows attackers to inject T... (How to Fix)

Q: What is the severity of CVE-2022-21686?

CVE-2022-21686 has a CVSS score of 9.0 (CRITICAL). This vulnerability allows attackers to inject Twig template code into the PrestaShop back office when using legacy layouts. Successful exploitation could lead to remote code execution or data manipulation. All PrestaShop installations from version 1.7.0.0 through 1.7.8.2 are affected.

📋 TL;DR

This vulnerability allows attackers to inject Twig template code into the PrestaShop back office when using legacy layouts. Successful exploitation could lead to remote code execution or data manipulation. All PrestaShop installations from version 1.7.0.0 through 1.7.8.2 are affected.

💻 Affected Systems

Products:

PrestaShop

Versions: 1.7.0.0 through 1.7.8.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using legacy layout in back office. Modern layouts are not vulnerable.

📦 What is this software?

Prestashop by Prestashop

View all CVEs affecting Prestashop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Back office compromise allowing administrative access, data manipulation, or privilege escalation.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to back office.

🌐 Internet-Facing: HIGH - Back office interfaces are often exposed to the internet for administrator access.

🏢 Internal Only: MEDIUM - Internal attackers with access to back office could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to back office interface. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.8.3

Vendor Advisory: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465

Restart Required: No

Instructions:

1. Backup your PrestaShop installation and database. 2. Download version 1.7.8.3 from official PrestaShop repository. 3. Replace affected files with patched versions. 4. Clear cache and verify functionality.

🔧 Temporary Workarounds

Disable Legacy Layout

all

Switch from legacy layout to modern layout in back office settings

Restrict Back Office Access

linux

Limit access to back office interface using firewall rules or IP whitelisting

iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit back office access to trusted IPs only
Enable detailed logging and monitoring of back office access attempts and Twig template execution

🔍 How to Verify

Check if Vulnerable:

Check PrestaShop version in administration panel or examine /config/settings.inc.php for version information

Check Version:

grep '_PS_VERSION_' /path/to/prestashop/config/settings.inc.php

Verify Fix Applied:

Verify version is 1.7.8.3 or higher in administration panel or settings file

📡 Detection & Monitoring

Log Indicators:

Unusual Twig template execution in back office logs
Multiple failed login attempts followed by successful back office access
Unexpected file modifications in templates directory

Network Indicators:

Unusual HTTP POST requests to back office endpoints with Twig code patterns
Traffic from unexpected sources to administrative interfaces

SIEM Query:

source="prestashop_logs" AND ("twig injection" OR "template execution" OR "backoffice access" from suspicious_ip)

📊 Metadata

CVE ID: CVE-2022-21686

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

Published: January 26, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21 Patch,Third Party Advisory
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3 Release Notes,Third Party Advisory
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465 Third Party Advisory
https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21 Patch,Third Party Advisory
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3 Release Notes,Third Party Advisory
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21686, you might also want to check these: