CVE-2023-30839: Critical SQLi vulnerability in PrestaShop open-source e-commerce web app

CVE-2023-30839

In today’s fast-paced world, eCommerce has become an essential part of our daily lives. With its rapid growth and increasing popularity, PrestaShop stands out as a leading Open Source eCommerce web application, providing an exceptional shopping cart experience for both merchants and customers. As of now, nearly 300,000 online merchants worldwide trust PrestaShop for their business needs.

However, as with any software, security vulnerabilities can emerge. Three recently discovered security vulnerabilities in PrestaShop could potentially impact your online store.

CVE-2023-30839

  1. CVE-2023-30839: SQL Filter Bypass Resulting in Arbitrary Write Requests

With a CVSS score of 9.9, this vulnerability is considered critical. It allows a back-office user to write, update, and delete data in the database without having the necessary permissions. This can lead to unauthorized modifications to your online store’s data, potentially causing significant damage to your business. The patch for this vulnerability will be included in PrestaShop versions 8.0.4 and 1.7.8.9.

Unfortunately, there are no workarounds for the CVE-2023-30839 issue. It is crucial to update your PrestaShop installation as soon as the patch becomes available.

  1. CVE-2023-30545: Arbitrary File Read

With a CVSS score of 7.7, this vulnerability is considered high risk. A user with access to the SQL Manager can exploit this flaw to read any file on the operating system using the SQL function LOAD_FILE in a SELECT request. This can lead to unauthorized access to sensitive information, such as database credentials, encryption keys, or other critical files. The patch for this vulnerability will be available in PrestaShop versions 8.0.4 and 1.7.8.9.

  1. CVE-2023-30838: XSS Injection Through Validate::isCleanHTML Method

This vulnerability, with a CVSS score of 8.0, is considered high risk. It stems from the ValidateCore::isCleanHTML() method, which misses hijackable events, allowing for XSS injection. The vulnerability is particularly dangerous because it can hijack any HTML element without user interaction, increasing the risk of a successful attack. The patch for this vulnerability will be included in PrestaShop versions 8.0.4 and 1.7.8.9.

The security of your eCommerce store is of paramount importance. Staying informed about potential vulnerabilities and taking appropriate action to patch them is crucial in maintaining a safe and secure online shopping experience for your customers. By updating your PrestaShop installation to the latest versions (8.0.4 or 1.7.8.9), you can protect your business from these vulnerabilities and continue to offer a seamless and reliable service to your customers.