← back
CVE-2023-30839

PrestaShop vulnerable to SQL filter bypass leading to arbitrary write requests using "SQL Manager"

CVSS 10 CRITICALEPSS 1.7%CWE-89
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
PrestaShop · PrestaShop
public PoCs found1
githubgithub.com/drkbcn/lblfixer_cve_2023_308390
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822