CVE-2024-9201
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Summary
The SEUR plugin, in its versions prior to 2.5.11, is vulnerable to time-based SQL injection through the use of the 'id_order' parameter of the '/modules/seur/ajax/saveCodFee.php' endpoint. This vulnerability allows for potential unauthorized access to sensitive data, manipulation of database contents, and possible execution of arbitrary commands on the database server. In severe cases, it could lead to complete system compromise.
Impact
This vulnerability has a high severity with a CVSS v3.1 base score of 9.8 out of 10. The impact on confidentiality, integrity, and availability is high. An attacker can exploit this vulnerability remotely over the network without requiring any privileges or user interaction. Potential impacts include: 1. Unauthorized access to sensitive data stored in the database 2. Manipulation or corruption of database contents 3. Possible execution of arbitrary commands on the database server 4. In severe cases, complete system compromise The vulnerability affects the SEUR plugin for PrestaShop, which could potentially impact e-commerce operations if exploited.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability has been addressed in version 2.5.11 of the SEUR plugin. Users should update to this version or later to mitigate the risk.
Mitigation
1. Update the SEUR plugin to version 2.5.11 or later immediately. 2. If immediate updating is not possible, consider temporarily disabling the SEUR plugin until the update can be applied. 3. Implement input validation and parameterized queries for the affected endpoint to prevent SQL injection attacks. 4. Use the principle of least privilege for database accounts used by the application. 5. Regularly monitor and audit database activities for any suspicious queries or unauthorized access attempts. 6. Implement a Web Application Firewall (WAF) to help detect and block SQL injection attempts. 7. Conduct a thorough security review of other parts of the application to identify and address any similar vulnerabilities.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
NVD published the first details for CVE-2024-9201
A CVSS base score of 9.4 has been assigned.
Feedly found the first article mentioning CVE-2024-9201. See article
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.04% (Percentile: 9.7%)
A CVSS base score of 9.8 has been assigned.