CVE-2024-24311 is a high-severity path traversal vulnerability affecting the Linea Grafica "Multilingual and Multistore Sitemap Pro - SEO" (lgsitemaps) module for PrestaShop versions prior to 1.6.6. This vulnerability allows an unauthenticated attacker (guest user) to exploit improper input validation and directory traversal weaknesses (CWE-22) to access and download sensitive personal information without any restriction. The flaw arises because the module fails to properly sanitize user-supplied input used in file path construction, enabling attackers to traverse directories outside the intended scope and retrieve files that may contain confidential customer data. The vulnerability has a CVSS v3.1 base score of 7.5, indicating high severity, with an attack vector of network (AV:N), no privileges required (PR:N), no user interaction needed (UI:N), and a scope unchanged (S:U). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No public exploits are currently known in the wild, and no official patches have been linked yet. However, given the nature of the vulnerability and the sensitive data exposure, exploitation could lead to significant privacy breaches and regulatory compliance issues for affected e-commerce operators using this module on PrestaShop platforms.

For European organizations, especially those operating e-commerce websites using PrestaShop with the vulnerable Linea Grafica sitemap module, this vulnerability poses a serious risk to customer data confidentiality. Personal information exposure can lead to violations of the EU General Data Protection Regulation (GDPR), resulting in heavy fines and reputational damage. The ability for unauthenticated attackers to access sensitive data without restriction increases the risk of identity theft, fraud, and targeted phishing campaigns against customers. Additionally, the breach of customer trust can have long-term business impacts. Since PrestaShop is widely used by small to medium-sized enterprises across Europe, the threat surface is significant. Organizations may also face legal liabilities and increased scrutiny from data protection authorities if they fail to address this vulnerability promptly.

1. Immediate upgrade: Organizations should upgrade the Linea Grafica "Multilingual and Multistore Sitemap Pro - SEO" module to version 1.6.6 or later once it becomes available, as this version addresses the vulnerability. 2. Temporary access controls: Until a patch is applied, restrict access to the sitemap module endpoints via web application firewalls (WAF) or reverse proxies by limiting access to trusted IPs or requiring authentication. 3. Input validation: Implement additional server-side input validation and sanitization to prevent directory traversal characters (e.g., ../) from being processed. 4. File system permissions: Harden file system permissions to ensure that the web server process cannot access sensitive files outside the intended directories. 5. Monitoring and logging: Enable detailed logging of access to sitemap-related URLs and monitor for suspicious requests indicative of path traversal attempts. 6. Incident response readiness: Prepare to respond to potential data breaches by having notification procedures and forensic capabilities in place. 7. Vendor communication: Engage with the module vendor or PrestaShop community to track patch releases and security advisories.