logo

Database

SQL injection - Code In prestashop/prestashop

Description

SQL filter bypass leading to arbitrary write requests using "SQL Manager"

Impact

SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.

Patches

PrestaShop 8.0.4 and 1.7.8.9 will contain the patch.

Workarounds

no

References

no

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-308392. NVD-2023-308393. OSV-2023-308394. GHSA-p379-cxqh-q8225. GCVE-2023-30839

References

1. https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q8222. https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c303. https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f21494. https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.95. https://github.com/PrestaShop/PrestaShop/releases/tag/8.0.46. https://github.com/drkbcn/lblfixer_cve_2023_30839

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.