CVE-2024-36684 is a critical SQL injection vulnerability identified in the 'Custom links' module (pk_customlinks) version 2.3 and earlier, developed by Promokit.eu for the PrestaShop e-commerce platform. The vulnerability resides in the ajax.php script, which processes HTTP requests containing SQL commands without proper sanitization or parameterization, allowing an unauthenticated attacker to inject and execute arbitrary SQL queries. This flaw is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability is trivially exploitable via a direct HTTP request, requiring no authentication or user interaction, and affects the confidentiality, integrity, and availability of the underlying database and application. The CVSS v3.1 base score of 9.8 reflects the high severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability all rated high (C:H/I:H/A:H). Although no public exploits are currently known, the ease of exploitation and critical impact make this a significant threat to any PrestaShop deployment using this module. The vulnerability could allow attackers to extract sensitive customer data, modify or delete data, or execute administrative commands on the database, potentially leading to full system compromise or data breaches.

The impact of CVE-2024-36684 is severe for organizations running PrestaShop with the vulnerable 'Custom links' module. Successful exploitation can lead to unauthorized access to sensitive customer and business data, including personal information, payment details, and order histories. Attackers could manipulate or delete critical data, disrupt e-commerce operations, or escalate privileges to compromise the entire system. This could result in financial losses, reputational damage, regulatory penalties, and loss of customer trust. Given the module's integration in e-commerce workflows, availability impacts could disrupt sales and customer experience. The vulnerability's ease of exploitation and lack of required authentication increase the risk of widespread attacks, especially targeting online retailers relying on PrestaShop. Organizations without timely remediation may face targeted attacks or automated exploitation attempts once public exploit code becomes available.

To mitigate CVE-2024-36684, organizations should immediately update the 'Custom links' module to a patched version once released by Promokit.eu. In the absence of an official patch, apply the following specific measures: (1) Implement strict input validation and parameterized queries in ajax.php to prevent SQL injection; review and sanitize all user-supplied inputs. (2) Deploy a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting ajax.php endpoints. (3) Restrict access to ajax.php via IP whitelisting or authentication where feasible to reduce exposure. (4) Monitor web server logs for unusual or suspicious HTTP requests containing SQL keywords or patterns indicative of injection attempts. (5) Conduct a thorough security audit of all PrestaShop modules for similar vulnerabilities. (6) Backup databases regularly and verify integrity to enable recovery in case of compromise. (7) Educate development teams on secure coding practices to prevent future injection flaws. These targeted actions go beyond generic advice and address the vulnerability's specific attack vector and exploitation method.