CVE-2024-36681 is a critical SQL Injection vulnerability affecting the Isotope module (pk_isotope) version 1.7.3 and earlier, a third-party extension for the PrestaShop e-commerce platform developed by Promokit.eu. The vulnerability resides in the pk_isotope::saveData and pk_isotope::removeData methods, which improperly sanitize user-supplied input before incorporating it into SQL queries. This flaw allows remote attackers to inject malicious SQL code without authentication or user interaction, enabling them to manipulate the database directly. Potential impacts include unauthorized disclosure of sensitive customer and business data, modification or deletion of critical records, and possibly full system compromise depending on database privileges. The vulnerability has been assigned a CVSS v3.1 base score of 9.8, reflecting its critical nature with network attack vector, low attack complexity, no privileges required, and no user interaction needed. While no public exploits have been reported yet, the widespread use of PrestaShop and the popularity of the Isotope module among online retailers increase the risk of exploitation. The lack of an official patch at the time of publication necessitates immediate risk mitigation by affected organizations to prevent data breaches and operational disruptions.

The impact of CVE-2024-36681 is severe for organizations using PrestaShop with the Isotope module. Successful exploitation can lead to unauthorized access to sensitive customer data such as personal information, payment details, and order histories, resulting in privacy violations and regulatory non-compliance (e.g., GDPR). Attackers can also alter or delete critical e-commerce data, disrupting business operations and causing financial losses. The vulnerability could be leveraged to implant persistent backdoors or pivot to other internal systems, escalating the attack scope. Given the critical CVSS score and lack of required authentication, the threat is highly exploitable and can affect a broad range of online retailers globally. This undermines customer trust and can lead to reputational damage, legal penalties, and significant remediation costs.

To mitigate CVE-2024-36681, organizations should immediately audit their PrestaShop installations to identify the presence and version of the Isotope module. Until an official patch is released, apply the following specific mitigations: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the pk_isotope::saveData and pk_isotope::removeData endpoints. 2) Restrict access to administrative and module-related URLs using IP whitelisting or VPNs to reduce exposure. 3) Conduct thorough input validation and sanitization at the application layer if possible, or disable vulnerable module features temporarily. 4) Monitor database logs for suspicious queries indicative of injection attempts. 5) Prepare for rapid patch deployment once an official fix is available from Promokit.eu or PrestaShop. 6) Regularly back up databases and test restoration procedures to minimize downtime and data loss in case of compromise. 7) Educate development and security teams about secure coding practices to prevent similar vulnerabilities in custom modules.