CVE-2024-36683

Vulnerability

Description CVE-2024-36683 is a SQL injection vulnerability in the Products Alert module (productsalert) from Smart Modules for PrestaShop, affecting versions prior to 1.7.4. The flaw resides in the ProductsAlertAjaxProcessModuleFrontController::initContent method, which fails to properly neutralize SQL parameters, allowing an attacker to inject arbitrary SQL commands [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable front controller. No privileges or user interaction are required, and the attack vector is network-based with low complexity. Because the exploit uses a PrestaShop front controller, it may be concealed in standard access logs, appearing only as a POST to "/", making detection difficult without specialized audit tools like mod_security [1].

Impact

Successful exploitation can lead to severe consequences, including unauthorized access to sensitive data, modification or deletion of data, email hijacking through SMTP setting changes, and ultimately full compromise of the PrestaShop installation. The CVSS v3.1 base score is 9.8 (Critical) based on network attack vector, low complexity, and no required privileges [1].

Mitigation

The vulnerability is fixed in version 1.7.4 of the Products Alert module. Users are strongly recommended to upgrade to the latest version. Additionally, enabling the AuditEngine of mod_security (or similar WAF) can help detect and block exploitation attempts [1].