CVE-2024-28393 – This SQL injection vulnerability in the scalapa... (How to Fix)

Q: What is the severity of CVE-2024-28393?

CVE-2024-28393 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in the scalapay PrestaShop module allows remote attackers to execute arbitrary SQL commands via the ScalapayReturnModuleFrontController::postProcess() method. Attackers can escalate privileges, potentially gaining administrative access to affected PrestaShop installations. All users running scalapay v1.2.41 or earlier are affected.

📋 TL;DR

This SQL injection vulnerability in the scalapay PrestaShop module allows remote attackers to execute arbitrary SQL commands via the ScalapayReturnModuleFrontController::postProcess() method. Attackers can escalate privileges, potentially gaining administrative access to affected PrestaShop installations. All users running scalapay v1.2.41 or earlier are affected.

💻 Affected Systems

Products:

scalapay PrestaShop payment module

Versions: v1.2.41 and earlier

Operating Systems: All platforms running PrestaShop

Default Config Vulnerable: ⚠️ Yes

Notes: Affects PrestaShop installations using the scalapay payment module. The vulnerability is in the module itself, not core PrestaShop.

📦 What is this software?

Scalapay by Scalapay

View all CVEs affecting Scalapay →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the PrestaShop installation including database takeover, administrative access, customer data theft, and potential lateral movement to other systems.

🟠

Likely Case

Privilege escalation leading to administrative access, data exfiltration, and potential e-commerce fraud.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules are in place, though SQL injection attempts may still be logged.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. The method is publicly documented, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.2.42 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2024/03/19/scalapay.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find scalapay module. 4. Click 'Upgrade' to latest version (v1.2.42+). 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable scalapay module

all

Temporarily disable the vulnerable module until patching is possible

Navigate to Modules > Module Manager in PrestaShop admin, find scalapay, click 'Disable'

WAF SQL injection rules

all

Implement web application firewall rules to block SQL injection attempts

Configure WAF to block patterns like UNION SELECT, --, #, ;, ' OR '1'='1

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application level
Deploy network segmentation to isolate PrestaShop from sensitive databases

🔍 How to Verify

Check if Vulnerable:

Check scalapay module version in PrestaShop admin panel under Modules > Module Manager

Check Version:

SELECT version FROM ps_module WHERE name = 'scalapay';

Verify Fix Applied:

Confirm scalapay module version is v1.2.42 or later in module settings

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from unexpected sources
POST requests to scalapay return endpoint with SQL patterns

Network Indicators:

Unusual outbound database connections from web server
Traffic patterns matching SQL injection payloads

SIEM Query:

source="prestashop.log" AND ("ScalapayReturnModuleFrontController" OR "scalapay") AND ("UNION" OR "SELECT" OR "--" OR "#" OR "' OR")

📊 Metadata

CVE ID: CVE-2024-28393

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 25, 2024

Last Updated: September 18, 2025

🔗 References

https://addons.prestashop.com/fr/paiement-en-plusieurs-fois/87023-scalapay-payez-en-3-fois-sans-frais.html Product
https://security.friendsofpresta.org/modules/2024/03/19/scalapay.html Patch,Third Party Advisory
https://addons.prestashop.com/fr/paiement-en-plusieurs-fois/87023-scalapay-payez-en-3-fois-sans-frais.html Product
https://security.friendsofpresta.org/modules/2024/03/19/scalapay.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28393, you might also want to check these: