CVE-2024-24308 is a critical SQL Injection vulnerability identified in the Boostmyshop (boostmyshopagent) module for Prestashop, specifically affecting versions 1.1.9 and earlier. The vulnerability resides in three PHP scripts: changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php. These scripts fail to properly sanitize user-supplied input before incorporating it into SQL queries, allowing remote attackers to inject malicious SQL code. The injection flaw requires no authentication or user interaction, making it trivially exploitable over the network. Successful exploitation enables attackers to escalate privileges within the application, potentially gaining administrative access, extracting sensitive information such as customer data, order details, and payment information, or modifying database contents. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 9.8, reflecting the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of exploitation. Although no public exploits have been reported yet, the critical nature of this flaw demands immediate attention from organizations using the affected module. The absence of official patches at the time of publication increases the urgency for temporary mitigations or workarounds.

The impact of CVE-2024-24308 is severe for organizations running Prestashop e-commerce platforms with the vulnerable Boostmyshop module. Attackers can remotely execute arbitrary SQL commands, leading to unauthorized data disclosure, data manipulation, and potential full system compromise. This can result in theft of customer personal and payment data, loss of data integrity affecting order processing, and disruption of service availability. Such breaches can cause significant financial losses, reputational damage, regulatory penalties, and erosion of customer trust. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread exploitation. Organizations relying on this module for order and shipping management are particularly at risk, as attackers could manipulate shipping details or carrier information to facilitate fraud or intercept shipments. The lack of known exploits currently provides a small window for remediation before active exploitation emerges.

To mitigate CVE-2024-24308, organizations should immediately identify if their Prestashop installations use the Boostmyshop (boostmyshopagent) module version 1.1.9 or earlier. If so, they should: 1) Apply any available patches or updates from Boostmyshop or Prestashop vendors as soon as they are released. 2) If patches are not yet available, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the affected PHP scripts. 3) Restrict access to changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php via network segmentation or IP whitelisting to limit exposure. 4) Conduct thorough input validation and sanitization on all user inputs in these scripts if custom modifications are possible. 5) Monitor logs for suspicious SQL errors or unusual database queries related to these endpoints. 6) Consider temporarily disabling the vulnerable module or affected functionalities if business operations allow. 7) Educate development and security teams about the vulnerability to ensure rapid response to any exploitation attempts. 8) Regularly back up databases and verify backup integrity to enable recovery in case of compromise.