[CVE-2023-39676] XSS in FieldPopupNewsletter Prestashop Module
An XSS was found within the FieldPopupNewsletter module, developed by FieldThemes, for the popular ecommerce platform Prestashop.
Summary
- CVE ID: CVE-2023-39676
- Published at: 2023-09-07
- Discovery credit: Sorcery
- Platform: PrestaShop
- Product: fieldpopupnewsletter
- Impacted release: < 1.0.1 ?
- Product author: FieldThemes
- Weakness: CWE-79
- Severity: medium (6.1)
Description
The module contains a file called ajax.php with the following code:
$ppp = new FieldPopupNewsletter();
echo $ppp->newsletterRegistration($_POST['email']);
The newsletterRegistration function, called by the ajax.php file, contains code that lacks proper input validation:
public function newsletterRegistration($email) {
if (empty($email) || !Validate::isEmail($email)) {
echo $_GET['callback'] . '(' . json_encode(array('<p class="alert alert-danger">' . $this->l('Invalid email address.') . '</p>')) . ')';
return;
}
The callback GET parameter is printed to the page without sanitization which makes it susceptible to XSS. One might think the fact a POST parameter is used might mitigate this vulnerability but closer reading reveals this works when $_POST['email'] isn’t set.
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: Required
- Scope: unchanged
- Confidentiality: low
- Integrity: low
- Availability: none
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Proof of Concept
As a demonstration of the vulnerability, an attacker can craft a malicious URL, like the one shown below, to execute arbitrary JavaScript code on the target user’s browser:
http://localhost/modules/fieldpopupnewsletter/ajax.php?callback=%3Cscript%3Ealert(0)%3C/script%3E
Patch
--- a/modules/fieldpopupnewsletter/fieldpopupnewsletter.php
+++ b/modules/fieldpopupnewsletter/fieldpopupnewsletter.php
@@ -684,0 +685,3 @@ class FieldPopupNewsletter extends Module
+ if (isset($_GET['callback']) && !Validate::isCleanHtml($_GET['callback'])) {
+ return;
+ }
Other recommendations
XSS vulnerabilities are serious security risks that can lead to unauthorized access, data theft, and other malicious activities. In the case of the FieldPopupNewsletter module, a lack of input validation exposes users to potential attacks.
We strongly advise users of this module to update to the latest patched version, which should address the XSS vulnerability.
Timeline
| Date | Action |
|---|---|
| 10/07/2023 | Issue discovered during a pentest |
| 12/07/2023 | Reported issue to FieldThemes |
| 29/07/2023 | Requested CVE from MITRE |
| 28/08/2023 | Number CVE-2023-39676 assigned |
| 31/08/2023 | Patch released |
| 07/09/2023 | Blog post and nuclei template released |
Links
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
