CVE-2024-41651

HIGH

PrestaShop < 8.1.7 - Server-Side Request Forgery via Module Upgrade Functionality

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-41651. PoCs published by Fckroun.

AI-analyzed exploit summary This repository provides a detailed technical writeup on exploiting a Blind SSRF to RCE vulnerability in PrestaShop 8.1.7 via a malicious module upgrade. It includes step-by-step instructions, payload examples, and screenshots demonstrating the exploit process.

Description

An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).

Exploits (1)

nomisec WRITEUP 1 stars
by Fckroun · poc
https://github.com/Fckroun/CVE-2024-41651

This repository provides a detailed technical writeup on exploiting a Blind SSRF to RCE vulnerability in PrestaShop 8.1.7 via a malicious module upgrade. It includes step-by-step instructions, payload examples, and screenshots demonstrating the exploit process.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PrestaShop 8.1.7
Auth required
Prerequisites: Outdated module (e.g., ps_facetedsearch v3.16.1) · Ability to intercept and modify HTTP requests · Hosting for malicious module
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.1
EPSS 0.0126
EPSS Percentile 65.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-918 CWE-94
Status published
Products (1)
prestashop/prestashop < 8.1.7
Published Aug 12, 2024
Tracked Since Feb 18, 2026