SQLi vulnerability in Starshop component for Joomla.

× We have detected that you are using an ad blocker. The Joomla! Project relies on revenue from these advertisements so please consider disabling the ad blocker for this domain.

CVE-2023-49708: Starshop - Joomla! Extension Directory

SQL njection vulnerability in SunnyToo sturls before version 1.1.13, allows attackers to escalate privileges and obtain sensitive information via StUrls::hookActionDispatcher and StUrls::getInstanceId methods.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Urls” (sturls) up to version 1.1.13 from SunnyToo for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-46348
*   **Published at**: 2023-12-07
*   **Platform**: PrestaShop
*   **Product**: sturls
*   **Impacted release**: <= 1.1.11 (1.1.13 fixed the vulnerability - WARNING : see WARNING below)
*   **Product author**: SunnyToo
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Methods StUrls::hookActionDispatcher and StUrls::getInstanceId have sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a hook Dispatcher with forged parameters so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

WARNING : Since we noticed this vulnerability on a 1.1.13 version but the author confirm us that it only affects 1.1.11, be warned that there is maybe manufactured versions in the wild and you should check all version prior to 1.1.13.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.1.13**

    --- 1.1.13/modules/sturls/sturls.php
    +++ XXXXXX/modules/sturls/sturls.php
    @@ -1288,7 +1288,7 @@ class StUrls extends Module
                             FROM '._DB_PREFIX_.'category_lang l
                             LEFT JOIN '._DB_PREFIX_.'category a
                             ON (a.id_category=l.id_category)
    -                        WHERE `link_rewrite` = "'.$top_parent_name.'"
    +                        WHERE `link_rewrite` = "'.pSQL($top_parent_name).'"
                             AND a.`active` = 1
                             AND `id_lang` = '.(int)$this->context->language->id
                         );
    @@ -1297,7 +1297,7 @@ class StUrls extends Module
                         FROM '._DB_PREFIX_.'category_lang l
                         LEFT JOIN '._DB_PREFIX_.'category a
                         ON (a.id_category=l.id_category)
    -                    WHERE `link_rewrite` = "'.$parent_name.'"
    +                    WHERE `link_rewrite` = "'.pSQL($parent_name).'"
                         AND a.`active` = 1'.
                         ($top_parent_name ? ' AND `id_parent` = ' . (int)$top_parent_id : '').'
                         AND `id_lang` = '.(int)$this->context->language->id
    @@ -1344,11 +1344,11 @@ class StUrls extends Module
                     ON (a.id_'.$table.'=l.id_'.$table.')
                     '.($table != 'category' ? 'INNER JOIN '._DB_PREFIX_.$table.'_shop s
                     ON (a.id_'.$table.'=s.id_'.$table.' AND s.id_shop = '.(int)$this->context->shop->id.')' : '').'
    -                WHERE `'.$field.'` = "'.$rewrite.'"
    +                WHERE `'.bqSQL($field).'` = "'.pSQL($rewrite).'"
                     AND `id_lang` = '.(int)$this->context->language->id.'
                     '.($is_id_shop ? 'AND l.id_shop='.(int)$this->context->shop->id : '').'
    -                '.($has_ref ? 'AND reference="'.$reference.'"' : '').'
    -                '.($id_parent ? 'AND id_parent IN ('.implode(',',$id_parent).')' : '').'
    +                '.($has_ref ? 'AND reference="'.pSQL($reference).'"' : '').'
    +                '.($id_parent ? 'AND id_parent IN ('.implode(',', array_map('intval', $id_parent)).')' : '').'
                     ');
                 if ($id) {
                     Configuration::updateValue($this->_prefix_st.'sha1_'.$sig, (int)$id);
    @@ -1513,7 +1513,7 @@ class StUrls extends Module
                             SELECT bl.id_st_blog FROM '._DB_PREFIX_.'st_blog_lang bl
                             INNER JOIN '._DB_PREFIX_.'st_blog_shop bs
                             ON(bl.`id_st_blog` = bs.`id_st_blog`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    @@ -1536,7 +1536,7 @@ class StUrls extends Module
                             SELECT l.id_st_blog_category FROM '._DB_PREFIX_.'st_blog_category_lang l
                             INNER JOIN '._DB_PREFIX_.'st_blog_category_shop s
                             ON(l.`id_st_blog_category` = s.`id_st_blog_category`)
    -                        WHERE link_rewrite = "'.$rewrite.'"
    +                        WHERE link_rewrite = "'.$pSQL($rewrite).'"
                             AND id_lang = '.(int)Context::getContext()->language->id.'
                             AND id_shop = '.(int)$this->context->shop->id.'
                             ');
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **sturls**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-08-31

Issue discovered during a code review by TouchWeb.fr

2023-08-31

Contact Author to confirm versions scope

2023-09-09

Author confirm versions scope

2023-09-16

Author provide a patch

2023-10-17

Request a CVE ID

2023-10-23

Received CVE ID

2023-12-07

Publish this security advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-46348: [CVE-2023-46348] Improper neutralization of SQL parameter in SunnyToo - Urls module for PrestaShop

SQL injection vulnerability in Buy Addons bavideotab before version 1.0.6, allows attackers to escalate privileges and obtain sensitive information via the component BaVideoTabSaveVideoModuleFrontController::run().

In the module “Product Video, Youtube, Vimeo Tab” (bavideotab) up to version 1.0.5 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.

Methods BaVideoTabSaveVideoModuleFrontController::run() and BaVideoTabConfirmDeleteModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**WARNING** : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

    --- 1.0.5/modules/bavideotab/controllers/front/confirmdelete.php
    +++ 1.0.6/modules/bavideotab/controllers/front/confirmdelete.php
    @@ -33,8 +33,8 @@ class BaVideoTabConfirmDeleteModuleFront
         public function run()
         {
             $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
    -        $id_product=Tools::getValue('id');
    -        $id_lang = Tools::getValue('id_lang');
    +        $id_product = (int) Tools::getValue('id');
    +        $id_lang = (int) Tools::getValue('id_lang');
             $id_shop=($this->context->shop->id);
             $sql="SELECT text_url FROM "._DB_PREFIX_."url_video WHERE id_product='".$id_product."'";
             $sql .= "AND id_lang='".$id_lang."' AND id_store='".$id_shop."' AND type = 1 ";
    
    

    --- 1.0.5/modules/bavideotab/controllers/front/savevideo.php
    +++ 1.0.6/modules/bavideotab/controllers/front/savevideo.php
    @@ -33,14 +33,14 @@ class BaVideoTabSaveVideoModuleFrontCont
             $id_lang_default = Configuration::get('PS_LANG_DEFAULT');
             $ob_lang_default = new Language($id_lang_default);
             $name_lang_default = $ob_lang_default->name;
    -        $id_shop = Tools::getValue('id_shop');
    +        $id_shop = (int) Tools::getValue('id_shop');
             $name_shop = Tools::getValue('name_shop');
             $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
             $url = $_SERVER['SCRIPT_FILENAME'];
             $url = rtrim($url, 'index.php');
             $languages = Language::getLanguages();
    -        $type_video = Tools::getValue('type_video');
    -        $id_product = Tools::getValue('id_product');
    +        $type_video = (int) Tools::getValue('type_video');
    +        $id_product = (int) Tools::getValue('id_product');
             $sql = 'SELECT * FROM '._DB_PREFIX_.'product_lang WHERE id_product="'.$id_product.'"';
             $show = $db->ExecuteS($sql);
    
    @@ -91,7 +91,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                             $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                             $sql .= " VALUES ('','".$id_product."','".$id_lang_default."','".$id_shop."','";
    -                        $sql .= "".$video_upload_default."','".$name_lang_default."','".$name_shop."','";
    +                        $sql .= "".$video_upload_default."','".$name_lang_default."','".pSQL($name_shop)."','";
                             $sql .= "".$name_product."','".$type_video."')";
                             $db->query($sql);
                             $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -102,7 +102,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                                 $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                                 $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                                 $sql .= " VALUES ('','".$id_product."','".$value['id_lang']."','".$id_shop."','";
    -                            $sql .= "".$video_upload_default."','".$value['name']."','".$name_shop."','";
    +                            $sql .= "".$video_upload_default."','".$value['name']."','".pSQL($name_shop)."','";
                                 $sql .= "".$name_product."','".$type_video."')";
                                 $db->query($sql);
                                 $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -113,7 +113,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                                 $sql = "INSERT INTO "._DB_PREFIX_."url_video ";
                                 $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                                 $sql .= " VALUES ('','".$id_product."','".$value['id_lang']."','".$id_shop."','";
    -                            $sql .= "".$video_url."','".$value['name']."','".$name_shop."','";
    +                            $sql .= "".$video_url."','".$value['name']."','".pSQL($name_shop)."','";
                                 $sql .= "".$name_product."','".$type_video."')";
                                 $db->query($sql);
                                 $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -160,7 +160,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql = "REPLACE INTO "._DB_PREFIX_."url_video ";
                             $sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$value['id_lang']."','";
    -                        $sql .= "".$id_shop."','".$video_url."','".$value['name']."','".$name_shop."','";
    +                        $sql .= "".$id_shop."','".$video_url."','".$value['name']."','".pSQL($name_shop)."','";
                             $sql .= "".$name_product."','".$type_video."')";
                             $db->query($sql);
                             $url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
    @@ -195,7 +195,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         }
    @@ -214,7 +214,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         } else {
    @@ -230,7 +230,7 @@ class BaVideoTabSaveVideoModuleFrontCont
                             $sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
                             $sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
                             $sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
    -                        $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
    +                        $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
                             $db->query($sql);
                             $ok="3";
                         }

CVE-2023-48925: [CVE-2023-48925] Improper neutralization of SQL parameter in Buy Addons - Product Video, Youtube, Vimeo Tab module for PrestaShop

SQLi vulnerability in LMS Lite component for Joomla.

CVE-2023-40629: LMS Lite - Joomla! Extension Directory


There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.



CVE-2023-25651: Security Bulletin Details

A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.
"GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive

Vulnerability / Data Breach

A previously unknown hacker outfit called **GambleForce** has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.

"GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials," Singapore-headquartered Group-IB said in a report shared with The Hacker News.

The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive information from compromised networks.

Also used by the threat actor is the legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered on its attack infrastructure used commands in Chinese, although the group's origins are far from clear.

The attack chains entail the abuse of victims' public-facing applications of victims by exploiting SQL injections as well as the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to gain unauthorized access to a Brazilian company.

It's currently not known how GambleForce leverages the stolen information. The cybersecurity firm said it also took down the adversary's command-and-control (C2) server and notified the identified victims.

"Web injections are among the oldest and most popular attack vectors," Nikita Rostovcev, senior threat analyst at Group-IB, said.

"And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Hacker Group 'GambleForce' Tageting APAC Firms Using SQL Injection Attacks

SQL Injection vulnerability in functions/point_list.php in Common Services soliberte before v4.3.03 allows attackers to obtain sensitive information via the lat and lng parameters.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “soliberte” for PrestaShop, an attacker can perform a SQL injection from >= 4.0.0 and < 4.3.03. Release 4.3.03 fixed this security issue.

**Summary**

*   **CVE ID**: CVE-2023-40921
*   **Published at**: 2023-12-12
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: soliberte
*   **Impacted release**: >= 4.0.0 and < 4.3.03 (4.3.03 fixed issue)
*   **Product author**: Common Services
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Before 4.3.03, a sensitive SQL calls in file functions/point_list.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted lat and lng variables.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Technical and personal data leaks
*   Obtain admin access
*   Remove all data of the linked PrestaShop
*   Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

**Patch**

    --- a/modules/soliberte/classes/socolissimo.class.php
    +++ b/modules/soliberte/classes/socolissimo.class.php
    @@ -822,7 +822,7 @@ class So_Colissimo extends Module
            public function lookup_latlng($lat, $lng, $limiter = 30)
            {
                    $countDeactivateCarrier = 0;
    -               $formula = "(6366*acos(cos(radians('$lat'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('$lng'))+sin(radians('$lat'))*sin(radians(`lat`))))";
    +               $formula = "(6366*acos(cos(radians('" . (float)$lat . "'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('" . (float)$lng . "'))+sin(radians('" . (float)$lat . "'))*sin(radians(`lat`)))>
                    // meme principe que chmod pour savoir lesquels ne sont pas a inclure dans la recherche
                    if (!Configuration::get('SOLIBERTE_BPR'))
                            $countDeactivateCarrier += 4;
    @@ -899,8 +899,8 @@ class So_Colissimo extends Module
                    {
                            case $this->_retrait :
                                    if ($lat)
    -                                       $formula = "(6366*acos(cos(radians('$lat'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('$lng'))+sin(radians('$lat'))*sin(radians(`lat`))))";
    -                               $sql = 'select `id`, `libelle`, `adresse1`, `adresse2`, `lieudit`, `indice`, `code_postal`, `commune`, `lat`, `lng`, `mobilite_reduite`, `type`, `poids` '.
    +                                       $formula = "(6366*acos(cos(radians('" . (float)$lat . "'))*cos(radians(`lat`))*cos(radians(`lng`) -radians('" . (float)$lng . "'))+sin(radians('" . (float) $lat . >
    +                               $sql = 'select `id`, `libelle`, `adresse1`, `adresse2`, `lieudit`, `indice`, `code_postal`, `commune`, `la t`, `lng`, `mobilite_reduite`, `type`, `poids` '.
                                            ($lat ? ', '.$formula.' as distance ' : '').
                                            ' from '.$this->_retrait.' where id = "'.(int)$pr_id.'"';
                                    $tab = 0;
    

**Other recommandations**

*   Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-08-12

Vunlnerability found during a audit by 202 ecommerce

2023-08-16

Contact PrestaShop addons teams to get the scope

2023-09-18

PrestaShop addons teams confirm the issue and supply a fixed release

2023-08-15

Request a CVE ID

2023-08-25

Received CVE ID

2023-12-12

Publication of this advisory

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-40921: [CVE-2023-40921] Improper neutralization of a SQL parameter in deprecated soliberte module from Common Services for PrestaShop

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

Skip to content

Sign in

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

glpi-project / **glpi** Public

*   Notifications
*   Fork 1.2k
*   Star 3.5k
    

*   Code
*   Issues 137
*   Pull requests 62
*   Actions
*   Projects 1
*   Security
*   Insights

Additional navigation options

Moderate

trasher published GHSA-94c3-fw5r-3362

Dec 13, 2023

**Package**

glpi (glpi)

**Affected versions**

\>= 10.0.0

**Patched versions**

10.0.11

**Description**

**Impact**

The saved search feature can be used to perform a SQL injection.

**Patches**

Upgrade to 10.0.11.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

Moderate

6.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVE ID**

CVE-2023-43813

**Weaknesses**

CWE-89

**Credits**

*    bhopkins0 Reporter

CVE-2023-43813: Authenticated SQL Injection

A vulnerability, which was classified as critical, has been found in SourceCodester Simple Student Attendance System 1.0. This issue affects the function save_attendance of the file actions.class.php. The manipulation of the argument sid leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247907.

CVE-2023-6771

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

High

trasher published GHSA-v799-2mp3-wgfr

Dec 13, 2023

**Affected versions**

\>= 10.0.0

**Description**

**Impact**

GLPI inventory endpoint can be used to drive a SQL injection attack.

**Patches**

Upgrade to 10.0.11

**Workarounds**

Disable native inventory.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Credits**

This vulnerability was discovered by Nikita Petrov (Positive Technologies).

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**Weaknesses**

Tag

#sql