CVE-2024-33272
Description
SQL injection in KnowBand Search Auto Suggest PrestaShop module before 2.0.0 allows unauthenticated remote attackers to execute arbitrary SQL commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in KnowBand Search Auto Suggest PrestaShop module before 2.0.0 allows unauthenticated remote attackers to execute arbitrary SQL commands.
Vulnerability
Description
CVE-2024-33272 is an SQL injection vulnerability in the KnowBand Search Auto Suggest (autosuggest) module for PrestaShop, affecting versions before 2.0.0. The vulnerability exists in the AutosuggestSearchModuleFrontController::initContent() and AutosuggestSearchModuleFrontController::getKbProducts() methods, which contain sensitive SQL calls that can be executed via a trivial HTTP request [1]. The issue stems from improper neutralization of SQL parameters (CWE-89), allowing an attacker to inject arbitrary SQL commands without authentication [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the module's front controller, supplying malicious SQL payload in the keyword parameter while bypassing input sanitization [1]. The attack requires no user interaction and can be performed remotely over the network with low complexity, as the CVSS v3.1 base score of 9.8 (Critical) indicates [1]. Notably, the exploit is reportedly being actively used to deploy web skimmers to steal credit card data, and attackers can obscure the module controller's path in logs, making detection difficult without specialized web application firewall rules [1].
Impact
Successful exploitation grants the attacker the ability to run arbitrary SQL commands on the PrestaShop database. This can lead to complete compromise of the site, including data theft (customer information, credentials), data deletion, exposure of sensitive tokens that enable admin privileges, rewriting SMTP settings for email hijacking, and other malicious actions [1]. The CVSS impact metrics rate confidentiality, integrity, and availability as high, reflecting the severe potential damage [1].
Mitigation
The vulnerability is fixed in version 2.0.0 of the autosuggest module. Users are strongly advised to upgrade to the latest version immediately [1]. For additional security, deploying web application firewall rules (e.g., mod_security AuditEngine) is recommended to help detect and block exploitation attempts [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<2.0.0+ 1 more
- (no CPE)range: <2.0.0
- (no CPE)range: <2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of special elements used in an SQL command in the `initContent()` and `getKbProducts()` methods allows user-supplied input to be interpreted as SQL."
Attack vector
An attacker can trigger the SQL injection by sending a crafted HTTP POST request to the module's front controller with a malicious `keyword` parameter [ref_id=1]. The request uses the module's controller path (`fc=module&module=autosuggest&controller=search`) and injects SQL via the `keyword` field, for example appending a semicolon followed by arbitrary SQL statements [ref_id=1]. No authentication is required, and the attack can be performed over the network with low complexity [ref_id=1]. The exploit is actively used in the wild to deploy web skimmers that steal credit card data [ref_id=1].
Affected code
The vulnerability resides in the PrestaShop module's front controller methods `AutosuggestSearchModuleFrontController::initContent()` and `AutosuggestSearchModuleFrontController::getKbProducts()` [ref_id=1]. These methods contain SQL calls that accept unsanitized user input, allowing an attacker to inject arbitrary SQL commands [ref_id=1].
What the fix does
The advisory states that version 2.0.0 of the autosuggest module fixes the vulnerability [ref_id=1]. No patch diff is provided in the bundle, but the recommended remediation is to upgrade to version 2.0.0 or later [ref_id=1]. The advisory also notes that upgrading to the latest PrestaShop version disables multiquery execution (separated by semicolons), which helps mitigate the attack, though it cautions that this alone is not a complete protection [ref_id=1].
Preconditions
- configThe target PrestaShop site must have the autosuggest module (version < 2.0.0) installed and enabled.
- authNo authentication or user interaction is required; the attacker can be anonymous.
- networkThe attacker must be able to send HTTP POST requests to the PrestaShop front controller path.
- inputThe attacker supplies a malicious `keyword` parameter containing SQL injection payload.
Reproduction
The advisory provides the following proof-of-concept command [ref_id=1]:
``` curl -v -d 'fc=module&module=autosuggest&controller=search&keyword=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--&prod_id=1' 'https://preprod.X' ```
This sends a POST request with a SQL injection payload in the `keyword` parameter, targeting the module's front controller [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.