CVE-2023-30149 – This SQL injection vulnerability in the City Au... (How to Fix)

Q: What is the severity of CVE-2023-30149?

CVE-2023-30149 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in the City Autocomplete module for PrestaShop allows remote attackers to execute arbitrary SQL commands via frontend parameters. Attackers can potentially read, modify, or delete database content. All PrestaShop installations using vulnerable versions of this module are affected.

📋 TL;DR

This SQL injection vulnerability in the City Autocomplete module for PrestaShop allows remote attackers to execute arbitrary SQL commands via frontend parameters. Attackers can potentially read, modify, or delete database content. All PrestaShop installations using vulnerable versions of this module are affected.

💻 Affected Systems

Products:

PrestaShop City Autocomplete module from ebewe.net

Versions: Versions prior to 1.8.12 (for PrestaShop 1.5/1.6) or prior to 2.0.3 (for PrestaShop 1.7)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PrestaShop installations with the vulnerable module enabled.

📦 What is this software?

City Autocomplete by Ebewe

View all CVEs affecting City Autocomplete →

City Autocomplete by Ebewe

View all CVEs affecting City Autocomplete →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including customer data theft, administrative account takeover, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration of customer information (names, addresses, emails), order history, and potentially administrative credentials stored in the database.

🟢

If Mitigated

Limited impact if database user has minimal privileges and input validation blocks malicious payloads.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via frontend parameters requires no authentication and is trivial to exploit with automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.12 (for PrestaShop 1.5/1.6) or 2.0.3 (for PrestaShop 1.7)

Vendor Advisory: https://friends-of-presta.github.io/security-advisories/module/2023/06/01/cityautocomplete.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'City Autocomplete' module. 4. Update to version 1.8.12 (PrestaShop 1.5/1.6) or 2.0.3 (PrestaShop 1.7). 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the City Autocomplete module until patched

Log into PrestaShop admin > Modules > Module Manager > Find 'City Autocomplete' > Click Disable

WAF rule blocking

linux

Add web application firewall rules to block SQL injection patterns targeting autocompletion.php

ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt in City Autocomplete'"

🧯 If You Can't Patch

Disable the City Autocomplete module immediately
Implement strict input validation and parameterized queries at application level

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel: Modules > Module Manager > City Autocomplete. If version < 1.8.12 (PrestaShop 1.5/1.6) or < 2.0.3 (PrestaShop 1.7), you are vulnerable.

Check Version:

No direct CLI command. Check via PrestaShop admin interface.

Verify Fix Applied:

Confirm module version shows 1.8.12 or higher (PrestaShop 1.5/1.6) or 2.0.3 or higher (PrestaShop 1.7) after update.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple requests to autocompletion.php with SQL keywords in parameters
Error logs showing SQL syntax errors

Network Indicators:

HTTP requests to /modules/cityautocomplete/autocompletion.php containing SQL injection payloads in type, input_name, or q parameters

SIEM Query:

source="web_logs" AND uri="/modules/cityautocomplete/autocompletion.php" AND (param="type" OR param="input_name" OR param="q") AND (payload="UNION" OR payload="SELECT" OR payload="INSERT" OR payload="DELETE" OR payload="--" OR payload="' OR '1'='1")

📊 Metadata

CVE ID: CVE-2023-30149

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 2, 2023

Last Updated: January 31, 2025

🔗 References

https://addons.prestashop.com/fr/inscription-processus-de-commande/6097-city-autocomplete.html Product
https://friends-of-presta.github.io/security-advisories/module/2023/06/01/cityautocomplete.html Exploit,Third Party Advisory
https://addons.prestashop.com/fr/inscription-processus-de-commande/6097-city-autocomplete.html Product
https://friends-of-presta.github.io/security-advisories/module/2023/06/01/cityautocomplete.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30149, you might also want to check these: