PrestaShop vulnerable to SQL filter bypass leading to arbitrary write requests using "SQL Manager"
CVE-2023-30839

10CRITICAL

Key Information:

Vendor: Prestashop
Status: Prestashop
Vendor: CVE Published:; 25 April 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-30839?

PrestaShop, an open-source e-commerce platform, is affected by a SQL filtering vulnerability in versions prior to 8.0.4 and 1.7.8.9. This flaw allows authorized Backend Office (BO) users to execute database operations such as writing, updating, and deleting data, even if they lack specific rights. This vulnerability can lead to unintended data manipulation and compromise the integrity of the database. PrestaShop versions 8.0.4 and 1.7.8.9 include a patch to mitigate this issue, and no workarounds are available.

Affected Version(s)

PrestaShop >= 8.0.0, < 8.0.4 < 8.0.0, 8.0.4

PrestaShop < 1.7.8.9 < 1.7.8.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

lblfixer_cve_2023_30839
Created by drkbcn

References

https://github.com/PrestaShop/PrestaShop/security/advisor...

x_refsource_CONFIRM

https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fd...

x_refsource_MISC

https://github.com/PrestaShop/PrestaShop/commit/d1d27dc37...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Apr 27, 2023
👾
Exploit known to exist
Apr 27, 2023
Vulnerability published
Apr 25, 2023
Vulnerability Reserved
Apr 18, 2023

Prestashop

Badges

What is CVE-2023-30839?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline