CVE-2023-26861 – CVE-2023-26861 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2023-26861?

CVE-2023-26861 has a CVSS score of 9.8 (CRITICAL). CVE-2023-26861 is a critical SQL injection vulnerability in the Viva Wallet payment module for PrestaShop. Attackers can exploit this to execute arbitrary SQL commands, potentially gaining administrative privileges or accessing sensitive data. All PrestaShop installations using Viva Wallet Smart Checkout version 1.7.10 or earlier are affected.

📋 TL;DR

CVE-2023-26861 is a critical SQL injection vulnerability in the Viva Wallet payment module for PrestaShop. Attackers can exploit this to execute arbitrary SQL commands, potentially gaining administrative privileges or accessing sensitive data. All PrestaShop installations using Viva Wallet Smart Checkout version 1.7.10 or earlier are affected.

💻 Affected Systems

Products:

PrestaShop Viva Wallet Smart Checkout

Versions: 1.7.10 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PrestaShop installations with the Viva Wallet module enabled and configured.

📦 What is this software?

Viva Wallet by Vivawallet

View all CVEs affecting Viva Wallet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the PrestaShop installation including administrative access, customer data theft, payment information exposure, and potential server takeover.

🟠

Likely Case

Unauthorized administrative access leading to data exfiltration, website defacement, or installation of backdoors.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules are in place, though SQL injection attempts may still cause service disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities in web applications are commonly exploited with automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.11 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/07/11/vivawallet.html

Restart Required: No

Instructions:

1. Update the Viva Wallet module to version 1.7.11 or later via PrestaShop admin panel. 2. Alternatively, download the patched version from the official PrestaShop addons marketplace. 3. Clear PrestaShop cache after update.

🔧 Temporary Workarounds

Disable Viva Wallet Module

all

Temporarily disable the vulnerable payment module until patched

Navigate to PrestaShop admin > Modules > Module Manager > Search 'Viva Wallet' > Disable

WAF Rule Implementation

all

Add SQL injection detection rules to web application firewall

Add rule to block SQL injection patterns in vivawallet module endpoints

🧯 If You Can't Patch

Implement strict input validation and parameterized queries for all vivawallet module endpoints
Restrict access to vivawallet endpoints using IP whitelisting or authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check PrestaShop admin panel > Modules > Module Manager > Viva Wallet Smart Checkout version. If version is 1.7.10 or earlier, system is vulnerable.

Check Version:

Check modules/vivawallet/README.md or version file in module directory

Verify Fix Applied:

Verify Viva Wallet module version is 1.7.11 or later in PrestaShop admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts from single IP
Unexpected database errors

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) to vivawallet endpoints
Unusual traffic patterns to payment module

SIEM Query:

source="prestashop_logs" AND ("vivawallet" OR "viva wallet") AND ("sql" OR "union" OR "select" OR "1=1")

📊 Metadata

CVE ID: CVE-2023-26861

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 11, 2023

Last Updated: November 21, 2024

🔗 References

https://addons.prestashop.com/fr/paiement/89363-viva-wallet-smart-checkout.html Product
https://github.com/VivaPayments/API/commit/c1169680508c6e144d3e102ebdb257612e4cd84a Patch
https://security.friendsofpresta.org/modules/2023/07/11/vivawallet.html Patch,Third Party Advisory
https://addons.prestashop.com/fr/paiement/89363-viva-wallet-smart-checkout.html Product
https://github.com/VivaPayments/API/commit/c1169680508c6e144d3e102ebdb257612e4cd84a Patch
https://security.friendsofpresta.org/modules/2023/07/11/vivawallet.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26861, you might also want to check these: