CVE-2024-21628: 
PHP vulnerability analysis and mitigation

PrestaShop, an open-source e-commerce platform, disclosed a cross-site scripting (XSS) vulnerability identified as CVE-2024-21628. The vulnerability was discovered in versions prior to 8.1.3, where the isCleanHtml method was not implemented on a specific form, allowing the storage of XSS payloads in the database. The issue was reported by Rona Febriana and patched in version 8.1.3 (Vendor Advisory).

The vulnerability stems from the absence of the isCleanHtml validation method in the customer message form within the order detail page. This security flaw received a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N according to NVD's assessment. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The impact of this vulnerability is considered low in the back office (BO) due to Twig's escape mechanism preventing HTML interpretation. However, in the front office (FO), the cross-site scripting attack can be executed, though it only affects the customer sending the payload or the customer session from which it was sent. The risk is heightened for installations using modules that fetch messages from the database and display them without proper HTML escaping (Vendor Advisory).

The vulnerability has been patched in PrestaShop version 8.1.3. Users are advised to upgrade to this version or later to address the security issue. The fix implements the isCleanHtml validation method for the message field in the CustomerMessage class (GitHub Patch).