CVE-2025-24027
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in the ps_contactinfo PrestaShop module that allows attackers to inject malicious scripts into formatted address displays. Only shops made vulnerable by third-party modules with SQL injection vulnerabilities are affected, not fresh PrestaShop installations. Attackers could steal session cookies, redirect users, or perform actions on behalf of authenticated users.
💻 Affected Systems
- PrestaShop ps_contactinfo module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the PrestaShop admin panel, deface the store, steal customer data, or install backdoors for persistent access.
Likely Case
Attackers inject malicious JavaScript that steals user session cookies or redirects customers to phishing sites when they view contact information pages.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires a separate SQL injection vulnerability in another module to store the XSS payload in the database first.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.3
Vendor Advisory: https://github.com/PrestaShop/ps_contactinfo/security/advisories/GHSA-35pq-7pv2-2rfw
Restart Required: No
Instructions:
1. Update the ps_contactinfo module to version 3.3.3 or later via PrestaShop admin panel or manual installation. 2. Verify the fix by checking module version. 3. Ensure all third-party modules are updated to prevent SQL injection vulnerabilities that could enable this XSS.
🧯 If You Can't Patch
- Disable the ps_contactinfo module if not essential for store operations.
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check ps_contactinfo module version in PrestaShop admin panel under Modules > Module Manager. If version is 3.3.2 or lower, the module is vulnerable.Check Version:
Not applicable - check via PrestaShop admin interfaceVerify Fix Applied:
After updating, verify module version shows 3.3.3 or higher in PrestaShop admin panel. Test contact information pages for any unexpected script execution.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries to contact information tables
- JavaScript payloads in contact form submissions or database entries
- Unexpected script tags in rendered contact pages
Network Indicators:
- External JavaScript loading from contact information pages
- Suspicious redirects from contact pages
SIEM Query:
web_logs WHERE (url_path CONTAINS '/contact' OR url_path CONTAINS '/module/ps_contactinfo') AND (request_body CONTAINS '<script>' OR request_body CONTAINS 'javascript:' OR response_body CONTAINS 'malicious-domain.com')