Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-33278: [CVE-2023-33278] Improper neutralization of multiple SQL parameters in the scexportcustomers module for PrestaShop

In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.

CVE
Open in Source
#sql#vulnerability#web#auth

In the module “SC Export Customers” (scexportcustomers), an anonymous user can perform SQL injections. The module have been patched in version 3.6.2.

Summary

  • CVE ID: CVE-2023-33278
  • Published at: 2023-05-25
  • Platform: PrestaShop
  • Product: scexportcustomers
  • Impacted release: <= 3.6.1 (3.6.2 fixed the vulnerability)
  • Product author: Store Commander
  • Weakness: CWE-89
  • Severity: critical (9.8)

Description

In scexportcustomers module up to 3.6.1 for PrestaShop, a sensitive SQL call can be executed with a trivial http call and exploited to forge a blind SQL injection.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Other recommandations

  • It’s recommended to delete the module if not used or contact Store Commander
  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Timeline

Date

Action

2022-09-21

Issue discovered after a security audit by 202-ecommerce

2022-09-21

Contact Author

2022-12-09

Author provide patch

2023-05-15

Request a CVE ID

2023-05-22

Received CVE ID

Store Commander thanks 202-ecommerce for its courtesy and its help after the vulnerability disclosure.

Links

  • Store Commander export customer module product page
  • National Vulnerability Database

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE