CVE-2024-24308

Vulnerability

The Boostmyshop (boostmyshopagent) module for PrestaShop versions 1.1.9 and earlier contains a SQL injection vulnerability in three scripts: changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php [1]. The apiKey parameter is concatenated directly into SQL queries without sanitization, allowing an unauthenticated attacker to inject arbitrary SQL commands via a crafted HTTP request [1].

Exploitation

An attacker with network access can send a crafted HTTP request to any of the affected scripts with malicious SQL payloads in the apiKey parameter [1]. No authentication, user interaction, or special privileges are required [1]. The attack complexity is low and the scope is unchanged [1].

Impact

Successful exploitation can lead to full compromise of the PrestaShop installation [1]. The attacker can obtain admin access, delete data, expose sensitive tokens from database tables, rewrite SMTP settings to hijack emails, and copy sensitive information from backend tables [1]. The CVSS 3.1 base score is 9.8 (critical) with high impact on confidentiality, integrity, and availability [1].

Mitigation

The vulnerability is fixed in boostmyshopagent version 1.1.10, released by Boostmyshop [1]. Users should upgrade to at least version 1.1.10 immediately. The patch applies the pSQL() function to sanitize the apiKey parameter before use in queries [1]. No workaround is provided for unpatched versions.