CVE-2024-24311 in Multilingual and Multistore Sitemap Pro Module
Summary
by MITRE • 02/07/2024
Path Traversal vulnerability in Linea Grafica "Multilingual and Multistore Sitemap Pro - SEO" (lgsitemaps) module for PrestaShop before version 1.6.6, a guest can download personal information without restriction.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/06/2025
The CVE-2024-24311 vulnerability represents a critical path traversal flaw within the Linea Grafica lgsitemaps module for PrestaShop systems. This security weakness affects versions prior to 1.6.6 and specifically targets the multilingual and multistore sitemap functionality that is commonly used for SEO optimization purposes. The vulnerability enables unauthenticated attackers to exploit improper input validation mechanisms within the module's file handling processes, allowing them to access restricted system files and sensitive data without proper authorization. The issue stems from insufficient sanitization of user-supplied parameters that are directly incorporated into file path resolution operations, creating an avenue for malicious actors to navigate beyond the intended directory structure and retrieve confidential information.
The technical implementation of this vulnerability involves the exploitation of inadequate input validation controls within the sitemap generation module. When the module processes requests for sitemap files, it fails to properly validate or sanitize the parameters used to determine which files should be accessed or generated. This allows attackers to manipulate the file path resolution logic by injecting malicious path traversal sequences such as ../ or ..\ that can navigate up the directory tree and access files outside of the intended web root. The flaw operates at the application level where user input is directly concatenated into file system operations without proper security checks, making it a classic example of a path traversal vulnerability that falls under CWE-22 - Improper Limitation of a Pathname to a Restricted Directory. The vulnerability is particularly concerning because it affects a widely used PrestaShop module that many e-commerce platforms rely upon for their SEO infrastructure.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with the capability to extract personal information from the affected systems. The guest user context means that no authentication is required to exploit this flaw, making it particularly dangerous for online stores that handle sensitive customer data including personal identification information, contact details, and potentially financial data. This vulnerability creates a significant risk for e-commerce platforms that store customer records within their PrestaShop installations, as it allows unauthorized access to potentially thousands of customer profiles. The exposure of such information could lead to identity theft, fraud, and other malicious activities that would severely impact both the business reputation and customer trust. According to ATT&CK framework, this vulnerability maps to T1083 - File and Directory Discovery and T1566 - Phishing, as it enables initial reconnaissance and subsequent data exfiltration activities that attackers can leverage for further compromise.
Organizations affected by CVE-2024-24311 should immediately implement the remediation measures provided by the module developers, which typically include updating to version 1.6.6 or later where the path traversal vulnerability has been addressed through proper input validation and sanitization mechanisms. The fix should involve implementing strict parameter validation that prevents directory traversal sequences from being processed, ensuring that all user inputs are properly escaped or filtered before being used in file system operations. Additionally, system administrators should conduct comprehensive security assessments of their PrestaShop installations to identify any other potentially vulnerable modules or components that might share similar security flaws. Network monitoring should be enhanced to detect unusual file access patterns that could indicate exploitation attempts, and access controls should be reviewed to ensure that sensitive data is properly protected even when individual modules are compromised. The vulnerability underscores the importance of maintaining up-to-date security patches and implementing defense-in-depth strategies that include proper input validation, access controls, and continuous security monitoring for e-commerce platforms handling sensitive customer information.