CVE-2024-25846 is a critical security vulnerability identified in the "Product Catalog (CSV, Excel) Import" module (simpleimportproduct) for PrestaShop, specifically versions 6.7.0 and earlier. This module is designed to facilitate bulk import of product data via CSV or Excel files. However, due to insufficient validation of uploaded file extensions, unauthenticated guest users can upload files with .php extensions. This improper validation corresponds to CWE-434 (Unrestricted Upload of File with Dangerous Type). The ability to upload .php files enables attackers to execute arbitrary PHP code on the server, effectively allowing remote code execution (RCE). The vulnerability has a CVSS v3.1 base score of 9.1, indicating critical severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H), which suggests that some form of elevated access or bypass might be needed, though the description states a guest can upload files, implying a potential discrepancy or that the module's access controls are weak or misconfigured. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), as attackers can fully compromise the system. No public exploits are currently known, but the vulnerability's nature makes it a prime target for exploitation once weaponized. The lack of available patches at the time of publication increases urgency for mitigation. This vulnerability threatens the security of e-commerce platforms using PrestaShop with this module, potentially leading to full server compromise, data theft, defacement, or service disruption.

The impact of CVE-2024-25846 is severe for organizations running PrestaShop with the vulnerable Product Catalog Import module. Successful exploitation allows attackers to upload and execute arbitrary PHP scripts, leading to remote code execution. This can result in full system compromise, including unauthorized access to sensitive customer data, modification or deletion of product catalogs, theft of payment information, and disruption of e-commerce operations. Attackers could also use compromised servers as pivot points for lateral movement within corporate networks or to launch further attacks such as ransomware deployment. The vulnerability undermines the confidentiality, integrity, and availability of the affected systems, potentially causing significant financial loss, reputational damage, and regulatory penalties. Given PrestaShop's global usage in online retail, the threat extends to a wide range of industries relying on e-commerce platforms. The absence of known public exploits currently provides a narrow window for remediation before attackers develop and deploy exploit code.

To mitigate CVE-2024-25846, organizations should immediately implement strict file upload validation controls to restrict accepted file types to only CSV and Excel formats, explicitly blocking .php and other executable extensions. Employ server-side validation rather than relying solely on client-side checks. Disable or restrict guest user permissions to prevent unauthorized file uploads. Monitor web server logs and application logs for suspicious upload attempts or unexpected file creations. Use web application firewalls (WAFs) to detect and block malicious upload patterns. Apply any available patches or updates from MyPrestaModules or PrestaShop as soon as they are released. If patches are unavailable, consider temporarily disabling the vulnerable module or replacing it with a secure alternative. Conduct regular security audits and penetration testing focused on file upload functionalities. Implement network segmentation to limit the impact of a potential compromise. Backup critical data frequently and ensure backups are stored securely offline to enable recovery in case of an attack.