CVE-2024-24302 is a critical vulnerability discovered in the Tunis Soft Product Designer module integrated with PrestaShop, an open-source e-commerce platform. The vulnerability affects versions prior to 1.178.36 and stems from unsafe handling within the postProcess() method. Specifically, it is categorized under CWE-502, which involves unsafe deserialization of untrusted data. This flaw enables remote attackers to send crafted requests that the postProcess() method processes without proper validation or sanitization, leading to arbitrary code execution on the server. Because the vulnerability requires no authentication or user interaction (as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N), attackers can exploit it remotely over the network with minimal effort. Successful exploitation allows attackers to escalate privileges, potentially gaining administrative control over the PrestaShop instance, and extract sensitive information stored or processed by the module. The impact spans confidentiality, integrity, and availability, as attackers can manipulate data, disrupt services, or deploy further malware. While no public exploits have been reported yet, the high CVSS score (9.8) reflects the critical nature and ease of exploitation. The lack of available patches at the time of disclosure increases the urgency for organizations to implement interim mitigations or upgrade once patches are released. Given PrestaShop’s widespread use in global e-commerce, this vulnerability poses a significant threat to online retailers relying on the affected module.

The impact of CVE-2024-24302 on organizations worldwide is substantial. Exploitation can lead to complete system compromise of PrestaShop installations using the vulnerable Product Designer module, resulting in unauthorized code execution and privilege escalation. This can cause data breaches involving customer information, payment details, and proprietary business data, severely damaging organizational reputation and customer trust. Additionally, attackers could disrupt e-commerce operations by defacing websites, deleting data, or deploying ransomware, leading to financial losses and operational downtime. The vulnerability’s remote and unauthenticated nature broadens the attack surface, allowing widespread scanning and exploitation attempts. Small to medium-sized online retailers, which often lack robust security measures, are particularly vulnerable. The absence of known exploits currently provides a window for proactive defense, but the critical severity demands immediate action to prevent potential future attacks. Regulatory compliance risks also arise if sensitive customer data is compromised due to this vulnerability.

To mitigate CVE-2024-24302, organizations should immediately upgrade the Tunis Soft Product Designer module to version 1.178.36 or later once available. Until patches are released, apply the following specific measures: 1) Restrict network access to the PrestaShop administration and product designer endpoints using firewalls or IP whitelisting to limit exposure to trusted sources only. 2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the postProcess() method or deserialization attempts. 3) Conduct thorough input validation and sanitization on all data processed by the productdesigner module if custom modifications are possible. 4) Monitor application logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected POST requests or anomalous code execution patterns. 5) Employ runtime application self-protection (RASP) tools to detect and prevent exploitation in real-time. 6) Regularly back up PrestaShop data and configurations to enable rapid recovery in case of compromise. 7) Educate development and operations teams about the risks of unsafe deserialization and secure coding practices to prevent similar vulnerabilities. These targeted actions go beyond generic advice and focus on the unique aspects of this vulnerability’s exploitation vector.