ValidateCore::isCleanHTML() method of Prestashop misses hijickable events which can lead to XSS injection, allowed by the presence of pre-setup @Keyframes methods.

Summary

  • CVE ID: CVE-2023-39527
  • Published at: 2023-08-07
  • Advisory source: PrestaShop
  • Platform: PrestaShop
  • Product: PrestaShop
  • Impacted release: >= 8.0.0 < 8.0.5 and < 1.7.8.10 (Patched versions 8.1.1, 8.0.5 and 1.7.8.10)
  • Weakness: CWE-79
  • Severity: high (8.3)

Description

This XSS which hijacks HTML attributes will be triggered without any interaction of the visitor/administrator which makes it as dangerous as a trivial XSS.

Contrary to most XSS which target HTML attributes and which are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: high
  • User interaction: required
  • Scope: changed
  • Confidentiality: low
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:H

Possible malicious usage

Patch

--- a/classes/Validate.php
+++ b/classes/Validate.php
@@ -521,6 +521,7 @@ public static function isCleanHtml($html, $allow_iframe = false)
         $events .= '|ondragleave|ondragover|ondragstart|ondrop|onerrorupdate|onfilterchange|onfinish|onfocusin|onfocusout|onhashchange|onhelp|oninput|onlosecapture|onmessage|onmouseup|onmovestart';
         $events .= '|onoffline|ononline|onpaste|onpropertychange|onreadystatechange|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onsearch|onselectionchange';
         $events .= '|onselectstart|onstart|onstop|onanimationcancel|onanimationend|onanimationiteration|onanimationstart';
+        $events .= '|onpointerover|onpointerenter|onpointerdown|onpointermove|onpointerup|onpointerout|onpointerleave|onpointercancel|ongotpointercapture|onlostpointercapture';
 
         if (preg_match('/<[\s]*script/ims', $html) || preg_match('/(' . $events . ')[\s]*=/ims', $html) || preg_match('/.*script\:/ims', $html)) {
             return false;

Other recommendations

  • It’s recommended to upgrade to the latest version of the PrestaShop.
  • Configure CSP rules especially for your backoffice.