CVE-2024-25849 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-25849?

CVE-2024-25849 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to perform SQL injection attacks on PrestaShop websites using the 'Make an offer' module version 1.7.1 or earlier. Attackers can potentially access, modify, or delete database content. All PrestaShop installations with this vulnerable module are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on PrestaShop websites using the 'Make an offer' module version 1.7.1 or earlier. Attackers can potentially access, modify, or delete database content. All PrestaShop installations with this vulnerable module are affected.

💻 Affected Systems

Products:

PrestaShop Make an offer module (makeanoffer)

Versions: <= 1.7.1

Operating Systems: All operating systems running PrestaShop

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PrestaShop installations with the vulnerable module installed and enabled.

📦 What is this software?

Make An Offer\/offer Your Price by Prestatoolkit

View all CVEs affecting Make An Offer\/offer Your Price →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, or complete system takeover.

🟠

Likely Case

Data exfiltration including customer information, order details, and potentially administrative credentials stored in the database.

🟢

If Mitigated

Limited impact if database permissions are properly restricted and input validation is enforced at other layers.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable by unauthenticated guests and affects web-facing e-commerce systems.

🏢 Internal Only: LOW - This primarily affects internet-facing PrestaShop installations, not internal-only systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized, and this affects a popular e-commerce platform module.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 1.7.1

Vendor Advisory: https://security.friendsofpresta.org/modules/2024/03/05/makeanoffer.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Search for 'Make an offer' module. 4. Update to latest version (>1.7.1). 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the 'Make an offer' module until patching is possible.

Navigate to PrestaShop admin > Modules > Module Manager > Disable 'Make an offer' module

Web Application Firewall rules

all

Implement WAF rules to block SQL injection patterns targeting the vulnerable endpoints.

Configure WAF to block SQL injection patterns in requests to /modules/makeanoffer/ endpoints

🧯 If You Can't Patch

Disable the 'Make an offer' module completely
Implement network segmentation to isolate the PrestaShop server and restrict database access

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Make an offer module details.

Check Version:

Check PrestaShop database: SELECT version FROM ps_module WHERE name = 'makeanoffer';

Verify Fix Applied:

Confirm module version is >1.7.1 and test that SQL injection attempts are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

SQL error messages in PrestaShop logs
Unusual database queries from web server IP
Multiple failed SQL injection attempts in access logs

Network Indicators:

SQL injection patterns in HTTP requests to /modules/makeanoffer/
Unusual database traffic from web server

SIEM Query:

source="prestashop_logs" AND ("SQL syntax" OR "You have an error in your SQL syntax" OR "makeanoffer")

📊 Metadata

CVE ID: CVE-2024-25849

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 8, 2024

Last Updated: May 5, 2025

🔗 References

https://addons.prestashop.com/en/price-management/19507-make-an-offer.html Product
https://security.friendsofpresta.org/modules/2024/03/05/makeanoffer.html Patch,Third Party Advisory
https://addons.prestashop.com/en/price-management/19507-make-an-offer.html Product
https://security.friendsofpresta.org/modules/2024/03/05/makeanoffer.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25849, you might also want to check these: