CVE-2024-34994
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on PrestaShop installations using the Channable module. It affects all PrestaShop sites running Channable module version 3.2.1 or earlier, potentially leading to data theft, modification, or complete system compromise.
💻 Affected Systems
- PrestaShop Channable module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, remote code execution, and full system takeover.
Likely Case
Data theft including customer information, order data, and administrative credentials stored in the database.
If Mitigated
Limited impact if database permissions are properly restricted and input validation is enforced at other layers.
🎯 Exploit Status
The vulnerability is in a public controller accessible to guests, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.2.2 or later
Vendor Advisory: https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-06-18-channable.md
Restart Required: No
Instructions:
1. Update the Channable module to version 3.2.2 or later via PrestaShop admin panel or manual installation. 2. Clear PrestaShop cache. 3. Verify the module is functioning correctly.
🔧 Temporary Workarounds
Disable Channable module
allTemporarily disable the vulnerable module until patching is possible
Navigate to PrestaShop admin > Modules > Module Manager > Find Channable > Disable
Restrict access to ChannableFeedModuleFrontController
linuxBlock public access to the vulnerable controller via web server configuration
# Apache: <Location /module/channable/feed> Require all denied </Location>
# Nginx: location ~ /module/channable/feed { deny all; }
🧯 If You Can't Patch
- Implement strict WAF rules to block SQL injection patterns targeting the Channable endpoint.
- Apply database-level restrictions to limit the impact of successful SQL injection attacks.
🔍 How to Verify
Check if Vulnerable:
Check the module version in PrestaShop admin panel under Modules > Module Manager > Channable. If version is 3.2.1 or earlier, you are vulnerable.Check Version:
Check PrestaShop admin panel or examine modules/channable/channable.php for version informationVerify Fix Applied:
Confirm the Channable module version is 3.2.2 or later in the module manager and test the feed functionality works correctly.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to /module/channable/feed endpoint
- Error logs containing SQL syntax errors
Network Indicators:
- HTTP POST requests to /module/channable/feed with SQL injection patterns
- Unusual outbound database connections from web server
SIEM Query:
source="web_access_logs" AND uri="/module/channable/feed" AND (method="POST" OR params CONTAINS "UNION" OR params CONTAINS "SELECT" OR params CONTAINS "OR 1=1")