CVE-2024-24307 is a path traversal vulnerability identified in the Tunis Soft "Product Designer" module integrated with PrestaShop, a widely used open-source e-commerce platform. The vulnerability exists in versions prior to 1.178.36 and specifically affects the ajaxProcessCropImage() method. This method fails to properly sanitize and validate user-supplied input related to file paths, allowing an unauthenticated remote attacker to manipulate the file path parameters. By exploiting this flaw, an attacker can traverse directories on the server's filesystem beyond the intended scope, potentially accessing sensitive files such as configuration files, user data, or other critical information. The vulnerability does not require any privileges or user interaction, increasing its risk profile. The CVSS v3.1 score of 7.5 (high) reflects the network attack vector, low complexity, no privileges required, no user interaction, and a significant impact on confidentiality. While no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers aiming to gather sensitive information or prepare for further attacks. The underlying issue corresponds to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common and serious security flaw in web applications handling file operations. The absence of a patch link suggests that users should monitor official channels for updates or apply manual mitigations. Given PrestaShop's global adoption in e-commerce, the vulnerability poses a considerable risk to online retailers using the affected module.

The primary impact of CVE-2024-24307 is unauthorized disclosure of sensitive information due to the path traversal vulnerability. Attackers can access files outside the intended directories, potentially exposing customer data, payment information, internal configuration files, and proprietary business data. This breach of confidentiality can lead to data theft, compliance violations (e.g., GDPR, PCI DSS), reputational damage, and financial losses. Although the vulnerability does not directly affect integrity or availability, the information gained can facilitate further attacks such as privilege escalation, code execution, or targeted phishing. The ease of exploitation without authentication or user interaction increases the likelihood of widespread exploitation once public exploits emerge. Organizations running vulnerable versions of the Product Designer module on PrestaShop face increased risk of data breaches and must act swiftly to mitigate exposure. The impact is particularly severe for e-commerce businesses that rely on customer trust and data protection.

To mitigate CVE-2024-24307, organizations should immediately upgrade the Tunis Soft Product Designer module to version 1.178.36 or later once available. In the absence of an official patch, implement strict input validation and sanitization on all file path parameters within the ajaxProcessCropImage() method to prevent directory traversal sequences such as '../'. Employ allowlisting of acceptable file paths and enforce server-side checks to restrict file access to designated directories only. Additionally, configure web server permissions to limit file read access to necessary directories and files, minimizing the impact of potential traversal attempts. Enable logging and monitoring of suspicious requests targeting the ajaxProcessCropImage() endpoint to detect exploitation attempts early. Conduct regular security assessments and code reviews focusing on file handling functions. Finally, educate development teams on secure coding practices related to file operations to prevent similar vulnerabilities in the future.