CVE-2024-33276
📋 TL;DR
This CVE describes a SQL injection vulnerability in the FME Modules preorderandnotification module for PrestaShop. Attackers can execute arbitrary SQL commands through the PreorderModel::getIdProductAttributesByIdAttributes() method, potentially compromising the database. All users of preorderandnotification v3.1.0 and earlier are affected.
💻 Affected Systems
- FME Modules preorderandnotification
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data theft, modification, deletion, or full system takeover through SQL command execution.
Likely Case
Unauthorized data access, privilege escalation, or database manipulation leading to business disruption.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permissions in place.
🎯 Exploit Status
SQL injection typically has low exploitation complexity when unauthenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.1.1 or later
Vendor Advisory: https://security.friendsofpresta.org/modules/2024/04/25/preorderandnotification.html
Restart Required: No
Instructions:
1. Download latest version from official source. 2. Backup current installation. 3. Replace module files. 4. Clear PrestaShop cache.
🔧 Temporary Workarounds
Input Validation
allImplement strict input validation for all user inputs to the vulnerable method.
WAF Rules
allDeploy web application firewall rules to block SQL injection patterns.
🧯 If You Can't Patch
- Disable or remove the preorderandnotification module immediately.
- Implement network segmentation to isolate affected systems from critical assets.
🔍 How to Verify
Check if Vulnerable:
Check module version in PrestaShop admin panel under Modules > Module Manager.Check Version:
Check PrestaShop database: SELECT version FROM ps_module WHERE name = 'preorderandnotification';Verify Fix Applied:
Confirm module version is v3.1.1 or later and test SQL injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts
- Unexpected database errors
Network Indicators:
- SQL keywords in HTTP requests to vulnerable endpoint
- Unusual database connection patterns
SIEM Query:
source="web_logs" AND (url="*PreorderModel*" OR method="*getIdProductAttributesByIdAttributes*") AND (query="*SELECT*" OR query="*UNION*" OR query="*INSERT*")