CVE-2024-34988
📋 TL;DR
This SQL injection vulnerability in the PrestaShop 'Complete for Create a Quote in Frontend + Backend Pro' module allows attackers to execute arbitrary SQL commands through multiple controller methods. Attackers can potentially view sensitive database information, modify data, or gain unauthorized access. All PrestaShop installations using affected versions of this third-party module are vulnerable.
💻 Affected Systems
- PrestaShop with 'Complete for Create a Quote in Frontend + Backend Pro' module (askforaquotemodul)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, remote code execution, or complete system takeover.
Likely Case
Unauthorized access to sensitive customer data (personal information, orders, payment details), database manipulation, and potential authentication bypass.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited, and this affects multiple controller methods accessible from both frontend and backend.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: > 1.0.51
Vendor Advisory: https://security.friendsofpresta.org/modules/2024/06/20/askforaquotemodul.html
Restart Required: No
Instructions:
1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Complete for Create a Quote in Frontend + Backend Pro' module. 4. Check current version. 5. If version <= 1.0.51, update to latest version from Buy Addons marketplace. 6. Clear PrestaShop cache after update.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the affected module until patched
UPDATE ps_module SET active = 0 WHERE name = 'askforaquotemodul'
WAF rule for SQL injection
allImplement web application firewall rules to block SQL injection patterns targeting the vulnerable endpoints
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user inputs in the module
- Apply principle of least privilege to database user accounts used by the module
🔍 How to Verify
Check if Vulnerable:
Check module version in PrestaShop admin panel under Modules > Module Manager > 'Complete for Create a Quote in Frontend + Backend Pro'Check Version:
SELECT version FROM ps_module WHERE name = 'askforaquotemodul'Verify Fix Applied:
Confirm module version is > 1.0.51 and test vulnerable endpoints with SQL injection payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in PrestaShop logs
- Multiple failed SQL queries from single IP
- Requests to vulnerable endpoints with SQL keywords
Network Indicators:
- HTTP requests containing SQL injection patterns to vulnerable controller endpoints
- Unusual database query patterns from web server
SIEM Query:
source="prestashop.logs" AND ("Askforaquotemodul" AND ("SQL" OR "syntax" OR "error" OR "UNION" OR "SELECT"))