Cybersecurity specialists report the detection of a critical vulnerability in PrestaShop, an open source content management system (CMS) designed to build e-commerce websites from scratch. According to the report, successful exploitation of the flaw would allow remote code execution on the affected systems.
Identified as CVE-2022-21686, the vulnerability exists due to improper validation of inputs when processing twig templates in a legacy design. Remote threat actors could send specially crafted requests and execute arbitrary PHP code on the affected system.
This is a high severity flaw and received a score of 8.5/10 according to the Common Vulnerability Scoring System (CVSS), as its successful exploitation would allow full compromise of the affected system.
According to the report, the flaw lies in the following versions of PrestaShop: 1.7.0.0, 1.7.0.0 alpha.3.0, 1.7.0.0 alpha.4.0, 1.7.0.0 beta.1.0, 1.7.0.0 beta.2.0, 1.7.0.0 beta.3.0, 1.7.0.0 RC0, 1.7.0.0 RC1, 1.7.0.0 RC2, 1.7.0.0 RC3, 1.7.0.1, 1.7.0.2, 1.7.0.3, 1.7.0.4, 1.7.0.5, 1.7.0.6, 1.7.1.0, 1.7.1.0 -, 1.7.1.1, 1.7.1.2, 1.7.2.0, 1.7.2.1, 1.7.2.2, 1.7.2.3, 1.7.2.4, 1.7.2.5, 1.7.3.0, 1.7.3.1, 1.7.3.2, 1.7.3.3, 1.7.3.4, 1.7.4.0, 1.7.4.1, 1.7.4.2, 1.7.4.3, 1.7.4.4, 1.7.5.0, 1.7.5.1, 1.7.5.2, 1.7.6.0, 1.7.6.1, 1.7.6.2, 1.7.6.3, 1.7.6.4, 1.7.6.5, 1.7.6.6, 1.7.6.7, 1.7.6.8, 1.7.6.9, 1.7.7.0, 1.7.7.1, 1.7.7.2, 1.7.7.3, 1.7.7.4, 1.7.7.5, 1.7.7.6, 1.7.7.7, 1.7.7.8, 1.7.8.0, 1.7.8.1 & 1.7.8.2.
While the flaw can be exploited remotely by unauthenticated threat actors, no active exploitation attempts have been detected so far. Still, cybersecurity experts recommend updating affected PetaShop implementations as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.