Lucene search

[email protected]NVD:CVE-2024-36684

HistoryJun 19, 2024 - 9:15 p.m.

CVE-2024-36684

2024-06-1921:15:57

CWE-89

[email protected]

web.nvd.nist.gov

cve-2024-36684

module

custom links

promokit.eu

prestashop

sql injection

ajax.php

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

39.6%

JSON

In the module “Custom links” (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

Affected configurations

Nvd

Node

prestashoppk_customlinksRange≤2.3

VendorProductVersionCPE
prestashoppk_customlinks*cpe:2.3:a:prestashop:pk_customlinks:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
prestashop	pk_customlinks	*	cpe:2.3:a:prestashop:pk_customlinks::::::::

References

security.friendsofpresta.org/modules/2024/06/18/pk_customlinks.html

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

39.6%

JSON

Related for NVD:CVE-2024-36684

vulnrichment1 cve1 cvelist1