PrestaShop powers thousands of online stores around the world. However, like any software, it can have vulnerabilities that can be exploited by hackers to gain unauthorized access or perform malicious actions. Recently, two vulnerabilities were discovered in PrestaShop that can have a significant impact on the security of online stores using this platform. We tell you can keep your store safe.
The first vulnerability, CVE-2023-30838, is a possible cross-site scripting (XSS) injection that can occur through the ValidateCore::isCleanHTML()
method. The impact of this vulnerability is significant because it can be triggered without any interaction from the visitor or administrator of the online store. This means that a hacker can inject malicious code into the online store's HTML elements, which can be used to steal sensitive data or perform other malicious actions.
What makes this vulnerability even more dangerous is that it can hijack every HTML element in the online store. This means that the scope of this vulnerability is not limited to a specific HTML attribute, as is the case with most XSS vulnerabilities. Therefore, the risk of this vulnerability being exploited is higher, and the consequences can be more severe.
The second vulnerability, CVE-2023-30839, is a SQL filter bypass that can lead to arbitrary write requests using "SQL Manager." This vulnerability allows a back-office user to write, update, and delete data in the database without having specific rights. This means that a hacker can gain access to sensitive information, modify data, or even delete data from the online store's database.
Fix to the vulnerability
The best solution to address these vulnerabilities in PrestaShop is to update to the latest versions, which, as of May 2023, are PrestaShop 1.7.8.9 and PrestaShop 8.0.4. These versions include patches for the vulnerabilities, as well as other enhancements and bug fixes. Therefore, online store owners using PrestaShop are strongly advised to update to these versions as soon as possible to ensure the security and integrity of their online store.
If updating your shop is not an option for you, fortunately, a solution to these vulnerabilities is available in the form of a free module that can be downloaded from GitHub. The module, called fixcwe79cwe89 has been developed by a community developer and is designed to address both vulnerabilities. Once installed, this module rewrites the vulnerable code on your PrestaShop with the actual fix.
Online store owners using PrestaShop should take these vulnerabilities seriously and take steps to mitigate the risks. Installing the fixcwe79cwe89 module is a simple and effective way to enhance the security of their online store and protect it against potential attacks.
Additionally, it is recommended that online store owners keep their software up to date with the latest security patches and implement other security measures, such as strong passwords, to further strengthen their online store's security.