CSV Injection in PrestaShop

#VU50834 CSV Injection in PrestaShop

Published: 2021-02-22

Vulnerability identifier: #VU50834

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21302

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PrestaShop
Web applications / E-Commerce systems

Vendor: PrestaShop SA

Description

The vulnerability allows a remote attacker to inject arbitrary content via CSV files.

The vulnerability exists due to improper input validation in shop search keywords via the admin panel when processing CSV files. A remote attacker can trick the victim to load a specially crafted CVS file and inject arbitrary content to the website.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PrestaShop: 1.5.0.0 - 1.7.7.1

External links
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rw4-2p99-cmx9/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PrestaShop