CVE-2024-34993 in Bulk Export Products to Google Merchant-Google Shopping Module
Summary
by MITRE • 06/19/2024
In the module "Bulk Export products to Google Merchant-Google Shopping" (bagoogleshopping) up to version 1.0.26 from Buy Addons for PrestaShop, a guest can perform SQL injection via`GenerateCategories::renderCategories().
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/19/2024
The vulnerability CVE-2024-34993 affects the Bulk Export products to Google Merchant module version 1.0.26 and earlier from Buy Addons for PrestaShop. This module enables merchants to export their product catalog to Google Shopping, but contains a critical SQL injection flaw that can be exploited by unauthenticated attackers. The vulnerability specifically resides within the GenerateCategories::renderCategories() method, which processes user input without proper sanitization or validation, creating an avenue for malicious SQL commands to be executed against the underlying database.
The technical flaw manifests when a guest user accesses the module's category rendering functionality. The GenerateCategories::renderCategories() method fails to implement proper input validation or parameterized queries, allowing attackers to inject malicious SQL code through the module's interface. This weakness directly maps to CWE-89, which describes SQL injection vulnerabilities where untrusted data is incorporated into SQL queries without proper escaping or parameterization. The vulnerability is particularly dangerous because it does not require authentication, making it accessible to any visitor to the website.
The operational impact of this vulnerability is severe and multifaceted. An attacker could potentially extract sensitive data from the PrestaShop database including customer information, product details, order history, and administrative credentials. The SQL injection could also enable privilege escalation attacks, allowing unauthorized access to administrative functions. Additionally, attackers might perform data manipulation or deletion operations, leading to data corruption or complete database compromise. The vulnerability affects e-commerce platforms that rely on PrestaShop's Google Shopping integration, potentially impacting thousands of online stores that have not yet patched this issue.
Mitigation strategies should prioritize immediate patching of the affected module to version 1.0.27 or later, which contains the necessary security fixes. System administrators should also implement input validation measures and ensure that all user-supplied data is properly sanitized before processing. Network-level protections such as web application firewalls can provide additional defense-in-depth measures, though they should not replace proper code-level fixes. The module should be configured with the principle of least privilege, limiting database access permissions to only essential operations. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other PrestaShop modules. Organizations should also monitor for any exploitation attempts through log analysis and implement proper intrusion detection systems to alert on suspicious database access patterns. This vulnerability demonstrates the critical importance of secure coding practices and regular security updates in e-commerce platforms.