CVE-2024-28391

Published: Mar 14, 2024Modified: Jun 10, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

SQL injection vulnerability in FME Modules quickproducttable module for PrestaShop v.1.2.1 and before, allows a remote attacker to escalate privileges and obtain information via the readCsv(), displayAjaxProductChangeAttr, displayAjaxProductAddToCart, getSearchProducts, and displayAjaxProductSku methods.

Affected (1)

Products: Fmemodules: B2b Quick Order Form

1 product

B2b Quick Order Form

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Fmemodules B2b Quick Order Form	Before 1.3.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

https://security.friendsofpresta.org/modules/2024/03/12/quickproducttable.html

Source: cve@mitre.org

PatchThird Party Advisory

https://security.friendsofpresta.org/modules/2024/03/12/quickproducttable.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.