Vulnerability in Help Desk Module Allows for Malicious File Uploads

CVE-2024-34990

What is CVE-2024-34990?

CVE-2024-34990 is a vulnerability present in the Help Desk module of FME Modules for PrestaShop, specifically affecting versions up to 2.4.0. This module, designed for managing customer support tickets, unfortunately allows authenticated users to upload .php files to a predetermined location on the server. This flaw could enable attackers to execute malicious scripts, posing a significant risk to organizations that utilize this module for customer support operations.

Technical Details

The vulnerability is rooted in the methods HelpdeskHelpdeskModuleFrontController::submitTicket() and HelpdeskHelpdeskModuleFrontController::replyTicket(). These functions do not adequately restrict the types of files that can be uploaded by customers. This oversight permits the upload of PHP files, which can be executed on the server. If exploited, attackers could potentially gain unauthorized access to the server, allowing them to manipulate or extract sensitive data, install additional malicious software, or compromise the entire web application.

Potential Impact of CVE-2024-34990

1. Unauthorized Remote Code Execution: The ability to upload and execute arbitrary PHP files can allow attackers to run malicious code on the server, leading to full control over the affected system.

2. Data Breach Risks: Exploiting this vulnerability could lead to unauthorized access to sensitive customer data stored on the server, exposing organizations to data breaches and legal ramifications.

3. Compromise of Customer Trust: If attackers exploit this vulnerability to access or affect customer data, it could undermine trust in the organization's ability to protect sensitive information, leading to reputational damage and a loss of customer confidence.

References