CVE-2024-28394 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-28394?

CVE-2024-28394 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of the Advanced Plugins reportsstatistics module for PrestaShop. Attackers can exploit the Sales Reports, Statistics, Custom Fields & Export module to run malicious code with potentially full system access. All users of reportsstatistics v1.3.20 and earlier are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of the Advanced Plugins reportsstatistics module for PrestaShop. Attackers can exploit the Sales Reports, Statistics, Custom Fields & Export module to run malicious code with potentially full system access. All users of reportsstatistics v1.3.20 and earlier are affected.

💻 Affected Systems

Products:

Advanced Plugins reportsstatistics module for PrestaShop

Versions: v1.3.20 and all earlier versions

Operating Systems: Any OS running PrestaShop (typically Linux)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects PrestaShop installations with the reportsstatistics module installed and enabled. The module must be present and active for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, or establish persistent backdoors.

🟠

Likely Case

Website defacement, data theft, installation of cryptocurrency miners or ransomware, and unauthorized administrative access to the PrestaShop installation.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and minimal privileges, potentially containing the attack to the web server environment.

🌐 Internet-Facing: HIGH - The vulnerability affects a PrestaShop module that is typically exposed to the internet, allowing remote exploitation without authentication.

🏢 Internal Only: MEDIUM - While less likely to be targeted, internal systems could still be compromised through phishing or other initial access vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability appears to be easily exploitable based on the CVSS score and available technical details. Public proof-of-concept code exists, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.3.21 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2024/03/14/reportsstatistics.html

Restart Required: No

Instructions:

1. Log into your PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Sales Reports, Statistics, Custom Fields & Export' module. 4. Check current version. 5. If below v1.3.21, update through the module interface or download latest version from the vendor. 6. Verify the module functions correctly after update.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the reportsstatistics module to prevent exploitation while planning permanent fix.

# Access PrestaShop admin panel and disable module via GUI
# Or via database: UPDATE ps_module SET active = 0 WHERE name = 'reportsstatistics'

Web Application Firewall rule

linux

Block suspicious requests to the vulnerable module endpoints.

# Example ModSecurity rule: SecRule REQUEST_URI "@contains reportsstatistics" "id:1001,phase:1,deny,status:403"

🧯 If You Can't Patch

Isolate the PrestaShop server from critical internal networks using firewall rules
Implement strict network monitoring and alerting for suspicious activity targeting the reportsstatistics module

🔍 How to Verify

Check if Vulnerable:

Check the module version in PrestaShop admin panel under Modules > Module Manager > Sales Reports, Statistics, Custom Fields & Export. If version is 1.3.20 or lower, you are vulnerable.

Check Version:

# Check via PrestaShop database: SELECT version FROM ps_module WHERE name = 'reportsstatistics'

Verify Fix Applied:

Confirm the module version shows 1.3.21 or higher in the admin panel and test module functionality to ensure it works properly.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to reportsstatistics module endpoints
Unexpected process execution from web server user
Error logs containing suspicious PHP code or command execution attempts

Network Indicators:

Unusual outbound connections from web server to external IPs
Spikes in traffic to reportsstatistics module paths
HTTP requests with encoded payloads in parameters

SIEM Query:

source="web_server_logs" AND (uri="*reportsstatistics*" AND (method="POST" OR status="500"))

📊 Metadata

CVE ID: CVE-2024-28394

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: March 19, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28394, you might also want to check these: