CVE-2023-30838
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into PrestaShop websites through cross-site scripting (XSS) attacks. The flaw in the ValidateCore::isCleanHTML() method fails to properly sanitize HTML attributes, enabling hijacking of every HTML element without user interaction. All PrestaShop installations prior to versions 8.0.4 and 1.7.8.9 are affected.
💻 Affected Systems
- PrestaShop
📦 What is this software?
Prestashop by Prestashop
Prestashop by Prestashop
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect users to malicious sites, potentially leading to complete compromise of the e-commerce platform and customer data theft.
Likely Case
Attackers inject malicious scripts to steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users, leading to account compromise and potential financial fraud.
If Mitigated
With proper input validation and output encoding controls, the attack surface is reduced, but the core vulnerability remains until patched.
🎯 Exploit Status
The vulnerability requires no authentication and can be triggered without user interaction, making exploitation straightforward for attackers with basic web security knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.4 and 1.7.8.9
Vendor Advisory: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp
Restart Required: No
Instructions:
1. Backup your PrestaShop installation and database. 2. Update to PrestaShop version 8.0.4 or 1.7.8.9 using the built-in updater or manual installation. 3. Clear cache and verify functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation to sanitize HTML attributes before processing.
Content Security Policy
allImplement strict Content Security Policy headers to mitigate XSS impact.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads targeting HTML attributes
- Enable strict Content Security Policy (CSP) headers to limit script execution
🔍 How to Verify
Check if Vulnerable:
Check PrestaShop version in administration panel or examine /config/settings.inc.php file for version information.Check Version:
Check PrestaShop admin dashboard or examine PS_VERSION in configuration files.Verify Fix Applied:
Verify version is 8.0.4 or higher (for v8) or 1.7.8.9 or higher (for v1.7). Test HTML input fields for proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML attribute patterns in input fields
- Multiple failed sanitization attempts
- Suspicious script injection attempts in logs
Network Indicators:
- HTTP requests containing malicious HTML attribute payloads
- Unusual traffic patterns to input processing endpoints
SIEM Query:
search 'PrestaShop' AND ('XSS' OR 'script' OR 'on*=') in web server logs🔗 References
- https://github.com/PrestaShop/PrestaShop/commit/46408ae4b02f3b8b1bb6e9dc63af5bcd858abd9c
- https://github.com/PrestaShop/PrestaShop/commit/dc682192df0e4b0d656a8e645b29ca1b9dbe3693
- https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp
- https://github.com/PrestaShop/PrestaShop/commit/46408ae4b02f3b8b1bb6e9dc63af5bcd858abd9c
- https://github.com/PrestaShop/PrestaShop/commit/dc682192df0e4b0d656a8e645b29ca1b9dbe3693
- https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp
