CVE-2024-28392
📋 TL;DR
This SQL injection vulnerability in the pscartabandonmentpro PrestaShop module allows remote attackers to execute arbitrary SQL commands via the setEmailVisualized() method. Attackers can escalate privileges, potentially gaining administrative access to affected PrestaShop installations. All users running version 2.0.11 or earlier are affected.
💻 Affected Systems
- pscartabandonmentpro (Abandoned Cart Reminder Pro)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the PrestaShop installation including database takeover, customer data theft, and installation of backdoors for persistent access.
Likely Case
Administrative account takeover leading to e-commerce site defacement, data exfiltration, and financial fraud through order manipulation.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection, though the vulnerable endpoint remains exposed.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. The CVSS 9.8 score indicates critical severity with low attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.12 or later
Vendor Advisory: https://security.friendsofpresta.org/modules/2024/03/14/pscartabandonmentpro.html
Restart Required: No
Instructions:
1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Abandoned Cart Reminder Pro'. 4. Click 'Update' or manually upload version 2.0.12+. 5. Clear PrestaShop cache.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the pscartabandonmentpro module until patched
UPDATE ps_module SET active = 0 WHERE name = 'pscartabandonmentpro';
WAF rule blocking
allImplement web application firewall rules to block SQL injection patterns targeting the vulnerable endpoint
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in custom code
- Deploy network segmentation to isolate the PrestaShop server from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check module version in PrestaShop admin panel under Modules > Module Manager > Abandoned Cart Reminder ProCheck Version:
SELECT version FROM ps_module WHERE name = 'pscartabandonmentpro';Verify Fix Applied:
Confirm module version is 2.0.12 or higher in the module manager📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by successful admin login
- Unexpected POST requests to /index.php?fc=module&module=pscartabandonmentpro&controller=CAPUnsubscribeJob
Network Indicators:
- SQL injection patterns in HTTP requests
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND (uri="*pscartabandonmentpro*CAPUnsubscribeJob*" AND (method="POST" OR params="*UNION*" OR params="*SELECT*" OR params="*INSERT*"))🔗 References
- https://addons.prestashop.com/en/remarketing-shopping-cart-abandonment/16535-abandoned-cart-reminder-pro.html
- https://security.friendsofpresta.org/modules/2024/03/14/pscartabandonmentpro.html
- https://addons.prestashop.com/en/remarketing-shopping-cart-abandonment/16535-abandoned-cart-reminder-pro.html
- https://security.friendsofpresta.org/modules/2024/03/14/pscartabandonmentpro.html
