CVE-2024-36680 identifies a SQL injection vulnerability in the Facebook integration module (pkfacebook) version 1.0.1 and earlier, developed by Promokit.eu for the PrestaShop e-commerce platform. The vulnerability resides in the ajax script facebookConnect.php, which processes HTTP requests containing SQL commands without proper sanitization or parameterization. This allows an unauthenticated attacker to inject malicious SQL code by crafting specific HTTP requests to the vulnerable endpoint. The injection targets the underlying database, potentially exposing sensitive customer data or internal system information. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating a failure to properly sanitize user input before database queries. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a high impact on confidentiality (C:H) with no impact on integrity or availability. No patches have been officially released yet, and no known exploits have been observed in the wild, but the vulnerability's characteristics make it a prime target for attackers seeking to extract sensitive data from vulnerable PrestaShop installations using this module.

The primary impact of CVE-2024-36680 is unauthorized disclosure of sensitive information stored in the PrestaShop database, including potentially customer personal data, order details, and internal business information. Since the vulnerability allows unauthenticated remote attackers to perform SQL injection, it can lead to data breaches without any user credentials or interaction. This compromises confidentiality severely, which can result in regulatory penalties, loss of customer trust, and financial damage. Although the vulnerability does not directly affect data integrity or availability, attackers could leverage the exposed data for further attacks such as phishing, identity theft, or lateral movement within the network. Organizations running e-commerce platforms with this vulnerable module face increased risk of targeted attacks, especially those handling large volumes of sensitive customer data. The lack of known exploits currently provides a window for remediation, but the ease of exploitation and public disclosure increase the likelihood of future attacks.

1. Immediately disable or remove the vulnerable Facebook module (pkfacebook) version 1.0.1 or earlier from PrestaShop installations until a secure patch is available. 2. Implement strict input validation and parameterized queries in the facebookConnect.php script to prevent SQL injection. 3. Monitor web server and application logs for unusual or suspicious HTTP requests targeting facebookConnect.php or related endpoints. 4. Restrict access to the ajax script via web application firewall (WAF) rules or IP whitelisting where feasible. 5. Regularly update PrestaShop and all third-party modules to the latest versions to incorporate security fixes. 6. Conduct security audits and penetration testing focused on injection vulnerabilities in custom or third-party modules. 7. Educate development teams on secure coding practices, especially regarding database query construction and input sanitization. 8. Prepare incident response plans to quickly address potential data breaches resulting from exploitation of this vulnerability.