CVE-2022-21686: Improper Control of Generation of Code ('Code Injection')

January 27, 2022 (updated February 7, 2022)

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

References

github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21
github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3
github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465
github.com/advisories/GHSA-mrq4-7ch7-2465
nvd.nist.gov/vuln/detail/CVE-2022-21686

Detect and mitigate CVE-2022-21686 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →