IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
[CVE-2023-39676] XSS in FieldPopupNewsletter Prestashop Module
An XSS was found within the FieldPopupNewsletter module, developed by FieldThemes, for the popular ecommerce platform Prestashop.
Summary
- CVE ID: CVE-2023-39676
- Published at: 2023-09-07
- Discovery credit: Sorcery
- Platform: PrestaShop
- Product: fieldpopupnewsletter
- Impacted release: < 1.0.1 ?
- Product author: FieldThemes
- Weakness: CWE-79
- Severity: medium (6.1)
Description
The module contains a file called ajax.php with the following code:
$ppp = new FieldPopupNewsletter();
echo $ppp->newsletterRegistration($_POST['email']);
The newsletterRegistration function, called by the ajax.php file, contains code that lacks proper input validation:
public function newsletterRegistration($email) {
if (empty($email) || !Validate::isEmail($email)) {
echo $_GET['callback'] . '(' . json_encode(array('<p class="alert alert-danger">' . $this->l('Invalid email address.') . '</p>')) . ')';
return;
}
The callback GET parameter is printed to the page without sanitization which makes it susceptible to XSS. One might think the fact a POST parameter is used might mitigate this vulnerability but closer reading reveals this works when $_POST['email'] isn’t set.
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: Required
- Scope: unchanged
- Confidentiality: low
- Integrity: low
- Availability: none
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Proof of Concept
As a demonstration of the vulnerability, an attacker can craft a malicious URL, like the one shown below, to execute arbitrary JavaScript code on the target user’s browser:
http://localhost/modules/fieldpopupnewsletter/ajax.php?callback=%3Cscript%3Ealert(0)%3C/script%3E
Patch
--- a/modules/fieldpopupnewsletter/fieldpopupnewsletter.php
+++ b/modules/fieldpopupnewsletter/fieldpopupnewsletter.php
@@ -684,0 +685,3 @@ class FieldPopupNewsletter extends Module
+ if (isset($_GET['callback']) && !Validate::isCleanHtml($_GET['callback'])) {
+ return;
+ }
Other recommendations
XSS vulnerabilities are serious security risks that can lead to unauthorized access, data theft, and other malicious activities. In the case of the FieldPopupNewsletter module, a lack of input validation exposes users to potential attacks.
We strongly advise users of this module to update to the latest patched version, which should address the XSS vulnerability.
Timeline
| Date | Action |
|---|---|
| 10/07/2023 | Issue discovered during a pentest |
| 12/07/2023 | Reported issue to FieldThemes |
| 29/07/2023 | Requested CVE from MITRE |
| 28/08/2023 | Number CVE-2023-39676 assigned |
| 31/08/2023 | Patch released |
| 07/09/2023 | Blog post and nuclei template released |
Links
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
