Skip to content

SQL filter bypass leading to arbitrary write requests using "SQL Manager"

Critical
mflasquin published GHSA-p379-cxqh-q822 Apr 25, 2023

Package

composer prestashop/prestashop (Composer)

Affected versions

< 8.0.4

Patched versions

8.0.4, 1.7.8.9

Description

Impact

SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.

Patches

PrestaShop 8.0.4 and 1.7.8.9 will contain the patch.

Workarounds

no

References

no

Severity

Critical
9.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-30839

Weaknesses

No CWEs

Credits