CVE-2023-26859 – This SQL injection vulnerability in PrestaShop'... (How to Fix)

Q: What is the severity of CVE-2023-26859?

CVE-2023-26859 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in PrestaShop's SendinBlue module allows remote attackers to execute arbitrary SQL commands via the ajaxOrderTracking.php component. Attackers can gain unauthorized privileges, potentially compromising the entire PrestaShop installation. All PrestaShop installations using SendinBlue module version 4.0.15 or earlier are affected.

📋 TL;DR

This SQL injection vulnerability in PrestaShop's SendinBlue module allows remote attackers to execute arbitrary SQL commands via the ajaxOrderTracking.php component. Attackers can gain unauthorized privileges, potentially compromising the entire PrestaShop installation. All PrestaShop installations using SendinBlue module version 4.0.15 or earlier are affected.

💻 Affected Systems

Products:

PrestaShop SendinBlue module

Versions: 4.0.15 and earlier

Operating Systems: All platforms running PrestaShop

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all PrestaShop installations with the SendinBlue module installed and enabled.

📦 What is this software?

Brevo by Brevo

View all CVEs affecting Brevo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation to admin, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized access to customer data, order information, and administrative takeover of the PrestaShop store.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection could still expose sensitive data.

🌐 Internet-Facing: HIGH - The vulnerable component is accessible via web interface without authentication.

🏢 Internal Only: LOW - This is primarily an internet-facing web application vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via ajaxOrderTracking.php requires no authentication and has public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.16

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/07/25/sendinblue.html

Restart Required: No

Instructions:

1. Update SendinBlue module to version 4.0.16 or later via PrestaShop admin panel. 2. Alternatively, download from PrestaShop Addons marketplace. 3. No server restart required.

🔧 Temporary Workarounds

Disable vulnerable component

linux

Temporarily disable or remove the ajaxOrderTracking.php file until patching.

mv modules/sendinblue/controllers/front/ajaxOrderTracking.php modules/sendinblue/controllers/front/ajaxOrderTracking.php.disabled

Web Application Firewall

all

Implement WAF rules to block SQL injection patterns targeting ajaxOrderTracking.php.

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application level.
Restrict database user permissions to minimum required for application functionality.

🔍 How to Verify

Check if Vulnerable:

Check SendinBlue module version in PrestaShop admin panel under Modules > Module Manager.

Check Version:

grep -r 'version' modules/sendinblue/ | grep -i sendinblue

Verify Fix Applied:

Verify SendinBlue module version is 4.0.16 or later and test ajaxOrderTracking.php endpoint with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple requests to ajaxOrderTracking.php with SQL syntax
Failed login attempts from unexpected IPs after exploitation

Network Indicators:

HTTP POST requests to */modules/sendinblue/controllers/front/ajaxOrderTracking.php containing SQL keywords

SIEM Query:

source="web_logs" AND url="*ajaxOrderTracking.php*" AND (request="*SELECT*" OR request="*UNION*" OR request="*INSERT*" OR request="*UPDATE*")

📊 Metadata

CVE ID: CVE-2023-26859

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 26, 2023

Last Updated: November 21, 2024

🔗 References

https://addons.prestashop.com/en/newsletter-sms/8300-sendinblue-all-in-one-marketing-tool.html Vendor Advisory
https://security.friendsofpresta.org/modules/2023/07/25/sendinblue.html Patch,Vendor Advisory
https://addons.prestashop.com/en/newsletter-sms/8300-sendinblue-all-in-one-marketing-tool.html Vendor Advisory
https://security.friendsofpresta.org/modules/2023/07/25/sendinblue.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26859, you might also want to check these: