CVE-2024-28388 identifies a critical SQL injection vulnerability in the SunnyToo stproductcomments module used by PrestaShop, an open-source e-commerce platform. Specifically, the vulnerability resides in the StProductCommentClass::getListcomments method, which improperly sanitizes user input before incorporating it into SQL queries. This allows a remote attacker to inject malicious SQL statements without requiring authentication or user interaction, thereby escalating privileges and extracting sensitive information from the backend database. The vulnerability affects versions 1.0.5 and earlier of the module. The CVSS 3.1 base score is 9.8, reflecting the ease of exploitation (network attack vector, low complexity), no privileges or user interaction required, and the potential for complete compromise of confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature and critical severity make it a high priority for remediation. The lack of available patches at the time of publication necessitates immediate risk mitigation steps. This vulnerability falls under CWE-89, which covers improper neutralization of special elements used in SQL commands, a common and dangerous injection flaw. Organizations using PrestaShop with this module should consider code review, input validation, and database query parameterization to mitigate the risk until an official patch is released.

The impact of CVE-2024-28388 is severe for organizations operating e-commerce platforms using the vulnerable SunnyToo stproductcomments module on PrestaShop. Successful exploitation can lead to unauthorized access to sensitive customer data, including personal information and possibly payment details, resulting in data breaches and regulatory non-compliance. Attackers can manipulate or delete data, disrupt service availability, and escalate privileges to gain further control over the system. This can damage organizational reputation, cause financial losses, and expose businesses to legal liabilities. Given the criticality and ease of exploitation, attackers could automate attacks at scale, targeting multiple vulnerable installations globally. The vulnerability undermines trust in affected e-commerce platforms and can facilitate further attacks such as fraud, identity theft, and supply chain compromise.

To mitigate CVE-2024-28388, organizations should immediately audit their PrestaShop installations to identify the presence of the vulnerable SunnyToo stproductcomments module version 1.0.5 or earlier. Since no official patch is currently available, temporary mitigations include disabling or removing the vulnerable module to prevent exploitation. Implement strict input validation and sanitization on all user-supplied data, especially in comment or review functionalities. Employ parameterized queries or prepared statements to prevent SQL injection. Monitor web application logs for suspicious query patterns indicative of injection attempts. Restrict database user privileges to the minimum necessary to limit the impact of potential exploitation. Additionally, consider deploying web application firewalls (WAFs) with rules targeting SQL injection attacks to provide an additional layer of defense. Stay alert for official patches or updates from the module developer and apply them promptly once released.