CVE-2022-44897

Vulnerability

The ApolloTheme AP PageBuilder component for PrestaShop (versions up to and including 2.4.4) contains a reflected cross-site scripting (XSS) vulnerability in the show_number parameter. An attacker can inject arbitrary web scripts or HTML via a crafted payload in this parameter when the component processes a request. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload in the show_number parameter. No authentication is required; any user who clicks the crafted link will trigger the script in their browser. The provided proof-of-concept demonstrates the injection. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The scope is limited to the user's browser and does not directly affect the server.

Mitigation

As of the publication date (2023-01-31), no official patch has been released by ApolloTheme. Users should contact the vendor for updates or consider disabling the affected component if possible. The vendor's website (http://apollotheme.com) may provide future fixes. [2]