CVE-2024-36680

Vulnerability

Overview

The pkfacebook module (version 1.0.1 and earlier) from Promokit.eu for PrestaShop suffers from an unauthenticated SQL injection vulnerability in the ajax/facebookConnect.php script. The id parameter is not properly sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL statements [1]. This is a classic CWE-89 improper neutralization of SQL parameters.

Exploitation

A guest (unauthenticated user) can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint. The attack requires no privileges, no user interaction, and is of low complexity. The advisory notes that this exploit is actively used in the wild to deploy a webskimmer that steals credit card information from the PrestaShop checkout process [1]. A proof-of-concept demonstrates injecting a SELECT SLEEP(42) query via the id parameter.

Impact

Successful exploitation can lead to full compromise of the PrestaShop database. An attacker can obtain admin access, extract sensitive data (including customer information and tokens), modify SMTP settings to hijack emails, and delete data. The CVSS v3 base score is 9.8 (Critical) with high impact on confidentiality, integrity, and availability [1].

Mitigation

The vendor has not confirmed which versions are patched; the advisory states that all versions may be vulnerable. Users are strongly recommended to upgrade to the latest version of the pkfacebook module if available, or to disable the module until a fix is confirmed. Additionally, implementing input validation and using prepared statements can mitigate the risk [1].