logo

Database

SQL injection - Code In prestashop/prestashop

Description

Arbitrary file read via SQL injection

Impact

It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD_FILE in a SELECT request. So It can access to critical information.

Patches

The patch will be on PS 8.0.4 and PS 1.7.8.9

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-305452. NVD-2023-305453. OSV-2023-305454. GHSA-8r4m-5p6p-52rp5. GCVE-2023-30545

References

1. https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8r4m-5p6p-52rp2. https://github.com/PrestaShop/PrestaShop/commit/cddac4198a47c602878a787280d813f60c6c06303. https://github.com/PrestaShop/PrestaShop/commit/d900806e1841a31f26ff0a1843a6888fc1bb7f81

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.