CVE-2024-24303 is a critical SQL Injection vulnerability identified in the HiPresta "Gift Wrapping Pro" (hiadvancedgiftwrapping) module for PrestaShop, affecting versions prior to 1.4.1. The vulnerability resides in the addGiftWrappingCartValue() method of the HiAdvancedGiftWrappingGiftWrappingModuleFrontController class. This method fails to properly sanitize user input before incorporating it into SQL queries, allowing remote attackers to inject malicious SQL commands. Exploitation requires no authentication or user interaction, making it highly accessible to attackers. Successful exploitation can lead to privilege escalation, enabling attackers to gain unauthorized administrative access, and extraction of sensitive data from the underlying database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and severe injection flaw. The CVSS v3.1 base score of 9.8 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits have been reported yet, the severity and ease of exploitation make it a significant threat to PrestaShop e-commerce sites using this module. The lack of available patches at the time of reporting necessitates immediate attention from affected organizations.

The impact of CVE-2024-24303 is severe for organizations running PrestaShop e-commerce platforms with the vulnerable HiPresta Gift Wrapping Pro module. Attackers can remotely execute arbitrary SQL commands, leading to unauthorized access to sensitive customer and business data such as personal information, payment details, and order histories. Privilege escalation can allow attackers to gain administrative control over the e-commerce site, enabling further malicious activities including data manipulation, deletion, or deployment of malware. This can result in significant financial losses, reputational damage, regulatory penalties, and disruption of business operations. Given the critical CVSS score and the lack of authentication requirements, the vulnerability poses a high risk of widespread exploitation, especially in environments with internet-facing PrestaShop installations. The threat extends to the confidentiality, integrity, and availability of affected systems, potentially impacting customer trust and compliance with data protection regulations.

To mitigate CVE-2024-24303, organizations should immediately upgrade the HiPresta Gift Wrapping Pro module to version 1.4.1 or later once available, as this will contain the necessary patches to fix the SQL Injection flaw. Until a patch is applied, implement web application firewall (WAF) rules specifically designed to detect and block SQL Injection attempts targeting the addGiftWrappingCartValue() method or related endpoints. Conduct thorough input validation and sanitization on all user-supplied data at the application level, ensuring that special characters are properly escaped or parameterized queries are used to prevent injection. Restrict database permissions for the PrestaShop application user to the minimum necessary, limiting the potential damage from a successful injection. Monitor logs and network traffic for unusual activity indicative of exploitation attempts. Additionally, consider isolating the PrestaShop environment and applying network segmentation to reduce exposure. Regularly review and update security policies and incident response plans to prepare for potential exploitation scenarios.