CVE-2024-34989 is a critical SQL injection vulnerability identified in the RSI PDF/HTML catalog evolution module (prestapdf) for PrestaShop, affecting versions up to and including 7.0.0. The vulnerability resides in the PrestaPDFProductListModuleFrontController::queryDb() method, which improperly sanitizes user input, allowing an unauthenticated guest to inject arbitrary SQL commands. This injection flaw (CWE-89) enables attackers to manipulate backend database queries, potentially leading to unauthorized data disclosure, data modification, or deletion, and even full system compromise depending on database privileges. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it highly accessible to attackers. The CVSS 3.1 base score of 9.8 reflects its critical severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (C:H), integrity (I:H), and availability (A:H). Although no public exploits have been reported yet, the vulnerability's characteristics suggest it could be weaponized rapidly. The affected module is used within PrestaShop, a widely deployed open-source e-commerce platform, which increases the potential attack surface globally. The lack of available patches at the time of disclosure necessitates immediate attention to mitigate risks.

The impact of CVE-2024-34989 is severe for organizations using the RSI prestapdf module in PrestaShop. Successful exploitation can lead to complete compromise of the underlying database, exposing sensitive customer data, payment information, and business-critical records. Attackers can alter or delete data, disrupt e-commerce operations, and potentially pivot to further internal network compromise. This can result in financial losses, reputational damage, regulatory penalties, and operational downtime. Given the module's integration in e-commerce environments, the threat extends to supply chain integrity and customer trust. The vulnerability's ease of exploitation without authentication or user interaction significantly raises the risk of widespread automated attacks or targeted exploitation campaigns. Organizations globally that rely on PrestaShop for online sales are at risk, especially those with high transaction volumes or sensitive data processing.

1. Immediately verify if the RSI PDF/HTML catalog evolution module (prestapdf) is installed and identify the version; prioritize upgrades to versions beyond 7.0.0 once patches are released. 2. Until an official patch is available, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the queryDb() endpoint, focusing on suspicious input parameters. 3. Restrict database user privileges for the PrestaShop application to the minimum necessary, preventing destructive commands even if injection occurs. 4. Monitor application logs and database query logs for anomalous or unexpected queries indicative of injection attempts. 5. Employ input validation and sanitization at the application layer as an additional defense-in-depth measure. 6. Conduct thorough security assessments and penetration tests on the PrestaShop environment to identify any exploitation attempts or related vulnerabilities. 7. Educate development and operations teams about this vulnerability to ensure rapid response and patch deployment. 8. Consider isolating or segmenting the PrestaShop environment to limit lateral movement in case of compromise.