CVE-2024-33272 identifies an SQL injection vulnerability in the KnowBand autosuggest module for PrestaShop, specifically in versions prior to 2.0.0. The vulnerability resides in the AutosuggestSearchModuleFrontController class, particularly within the initContent() and getKbProducts() methods, which handle user input for product autosuggestions. Due to insufficient sanitization or parameterization of SQL queries, an attacker can inject malicious SQL commands. The CVSS 3.1 base score is 6.8, reflecting a medium severity with a vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and low availability impact (A:L). This means an attacker must have some level of authenticated access and trick a user into triggering the exploit, but can then access sensitive data from the database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). No patches or known exploits are currently documented, but the risk remains significant for affected installations. The module is commonly used in PrestaShop e-commerce sites to enhance user experience via autosuggestions, making it a valuable target for attackers seeking to extract customer or transactional data.

The primary impact of CVE-2024-33272 is unauthorized disclosure of sensitive information stored in the backend database, including potentially customer data, product details, and transactional records. This compromises confidentiality and may lead to data breaches, regulatory penalties, and reputational damage. The integrity and availability impacts are limited but could occur if attackers modify queries or cause errors. Since exploitation requires some level of authenticated access and user interaction, the attack surface is somewhat constrained, but insider threats or compromised accounts increase risk. Organizations running PrestaShop with the vulnerable KnowBand autosuggest module are at risk, especially those handling sensitive customer information or operating in regulated industries. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability could be weaponized in targeted attacks or automated scanning campaigns.

To mitigate CVE-2024-33272, organizations should: 1) Upgrade the KnowBand autosuggest module to version 2.0.0 or later once a patch is released. 2) If immediate patching is not possible, implement strict input validation and sanitization on all user inputs related to autosuggest features, ensuring parameterized queries or prepared statements are used. 3) Restrict access to the affected module's endpoints to trusted users and monitor for unusual query patterns or errors indicative of injection attempts. 4) Employ web application firewalls (WAFs) with rules targeting SQL injection signatures specific to PrestaShop modules. 5) Conduct regular security audits and penetration testing focusing on third-party modules. 6) Educate users and administrators about phishing and social engineering risks that could facilitate user interaction required for exploitation. 7) Monitor logs for suspicious activity and implement anomaly detection on database queries. These steps help reduce the risk of exploitation and limit potential damage.