CVE-2024-34988 is a critical SQL injection vulnerability identified in the PrestaShop module "Complete for Create a Quote in Frontend + Backend Pro" (askforaquotemodul) versions up to 1.0.51. This module facilitates quote creation functionality in both frontend and backend environments. The vulnerability arises from improper sanitization of user-supplied input in several front controller methods, including AskforaquotemodulcustomernewquoteModuleFrontController::run(), AskforaquotemoduladdproductnewquoteModuleFrontController::run(), AskforaquotemodulCouponcodeModuleFrontController::run(), AskforaquotemodulgetshippingcostModuleFrontController::run(), and AskforaquotemodulgetstateModuleFrontController::run(). Exploiting this flaw allows remote attackers to inject malicious SQL queries directly into the backend database without requiring authentication or user interaction. The impact includes unauthorized disclosure of sensitive information, modification or deletion of data, and potential full compromise of the affected PrestaShop installation. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No official patches or fixes have been linked yet, and no known exploits in the wild have been reported as of the publication date (June 24, 2024).

The SQL injection vulnerability in this PrestaShop module poses a severe risk to organizations running e-commerce platforms using this software. Attackers can remotely execute arbitrary SQL commands, leading to unauthorized access to sensitive customer data such as personal information, payment details, and order histories. This can result in data breaches, regulatory non-compliance, and reputational damage. Furthermore, attackers may alter or delete critical database records, disrupting business operations and causing denial of service. The ability to execute commands without authentication or user interaction significantly lowers the barrier for exploitation, increasing the likelihood of attacks. Given the widespread use of PrestaShop in small to medium-sized online retailers globally, the threat could affect a broad range of organizations, potentially leading to financial losses and erosion of customer trust.

1. Immediate mitigation involves upgrading the affected module to a version that addresses the SQL injection vulnerability once available from the vendor or developer. 2. Until a patch is released, implement web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the known vulnerable endpoints and parameters. 3. Conduct thorough input validation and sanitization on all user-supplied data within the module's codebase, especially in the affected front controller methods. 4. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. 5. Monitor logs for unusual database queries or error messages indicative of injection attempts. 6. Employ network segmentation and limit external access to the PrestaShop backend where feasible. 7. Regularly back up databases and test restoration procedures to minimize downtime in case of compromise. 8. Educate development and security teams about secure coding practices to prevent similar vulnerabilities in custom modules.