CVE-2024-25842 is a vulnerability identified in the Presta World 'Account Manager - Sales Representative & Dealers - CRM' module (prestasalesmanager) for PrestaShop versions prior to 9.0. The vulnerability stems from improper access control in the uploadLogo() and postProcess methods, which are responsible for handling user-uploaded logos and processing form submissions respectively. Due to insufficient privilege checks, remote attackers can exploit these methods to escalate their privileges within the system and gain unauthorized access to sensitive information. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 base score of 7.5 reflects the ease of exploitation (network vector, low complexity) and the high impact on confidentiality, while integrity and availability remain unaffected. The underlying weakness corresponds to CWE-269 (Improper Privilege Management), indicating that the module fails to enforce proper access restrictions on critical operations. Although no public exploits have been reported yet, the vulnerability poses a significant risk to PrestaShop installations using this module, especially those handling sensitive customer or sales data. The lack of an official patch at the time of reporting necessitates immediate attention from administrators to implement compensating controls or monitor for suspicious activity.

The vulnerability allows remote attackers to escalate privileges without authentication, potentially exposing sensitive business and customer information managed through the Presta World sales representative and dealer CRM module. This can lead to unauthorized data disclosure, undermining customer privacy and business confidentiality. While the vulnerability does not affect data integrity or system availability directly, the exposure of sensitive information can facilitate further attacks, fraud, or competitive intelligence gathering. Organizations relying on PrestaShop with this module are at risk of data breaches that could damage reputation, incur regulatory penalties, and cause financial losses. The ease of exploitation and network accessibility increase the likelihood of attacks, especially in environments where the module is publicly accessible. The absence of known exploits currently limits immediate widespread impact but does not reduce the urgency for mitigation.

1. Upgrade to PrestaShop version 9.0 or later once the vendor releases a patch addressing this vulnerability. 2. In the interim, restrict access to the affected module's functionalities by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. 3. Review and harden access control policies within the PrestaShop installation, ensuring that only authorized users can invoke uploadLogo() and postProcess methods. 4. Monitor logs for unusual activity related to these methods, including unexpected file uploads or privilege escalations. 5. Disable or remove the 'Account Manager - Sales Representative & Dealers - CRM' module if it is not essential to business operations. 6. Conduct a thorough audit of user privileges and sensitive data access to detect any unauthorized disclosures. 7. Employ web application firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting these methods. 8. Educate administrators and developers about secure coding practices to prevent improper privilege management in custom modules.