CVE-2023-30151 – A SQL injection vulnerability in the Boxtal (en... (How to Fix)

Q: What is the severity of CVE-2023-30151?

CVE-2023-30151 has a CVSS score of 9.8 (CRITICAL). A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop allows remote attackers to execute arbitrary SQL commands via the 'key' GET parameter. This affects PrestaShop installations using Boxtal module versions after 3.1.10, potentially leading to database compromise and complete system takeover.

📋 TL;DR

A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop allows remote attackers to execute arbitrary SQL commands via the 'key' GET parameter. This affects PrestaShop installations using Boxtal module versions after 3.1.10, potentially leading to database compromise and complete system takeover.

💻 Affected Systems

Products:

PrestaShop Boxtal (envoimoinscher) module

Versions: Versions after 3.1.10

Operating Systems: All operating systems running PrestaShop

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PrestaShop installations with the vulnerable Boxtal module installed and enabled.

📦 What is this software?

Envoimoinscher by Boxtal

View all CVEs affecting Envoimoinscher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to data theft, privilege escalation, remote code execution, and complete system takeover.

🟠

Likely Case

Database information disclosure, data manipulation, and potential administrative access to the PrestaShop installation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - Exploitable via HTTP requests without authentication, affecting publicly accessible PrestaShop installations.

🏢 Internal Only: MEDIUM - Still exploitable internally but requires network access to the PrestaShop instance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET parameter requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest Boxtal Connect module (replacement for envoimoinscher)

Vendor Advisory: https://security.friendsofpresta.org/module/2023/06/20/envoimoinscher.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Search for 'Boxtal' or 'envoimoinscher'. 4. Update to latest version or remove if not needed. 5. Consider migrating to Boxtal Connect module.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation for the 'key' parameter to block SQL injection attempts

Add parameter validation in affected PHP files before SQL queries execute

Web Application Firewall Rule

all

Block SQL injection patterns in the 'key' parameter

Configure WAF to block requests containing SQL keywords in 'key' parameter

🧯 If You Can't Patch

Disable or remove the Boxtal module if shipping functionality is not required
Implement network segmentation to restrict access to PrestaShop instance

🔍 How to Verify

Check if Vulnerable:

Check PrestaShop admin panel > Modules > Module Manager for Boxtal/envoimoinscher module version. If version is after 3.1.10, system is vulnerable.

Check Version:

Check PrestaShop database: SELECT version FROM ps_module WHERE name LIKE '%boxtal%' OR name LIKE '%envoimoinscher%';

Verify Fix Applied:

Verify module has been updated to latest version or removed. Test 'key' parameter with SQL injection payloads to confirm protection.

📡 Detection & Monitoring

Log Indicators:

SQL error messages in web server logs
Unusual database queries from web application
Multiple failed SQL injection attempts

Network Indicators:

HTTP requests with SQL keywords in 'key' parameter
Unusual database connection patterns from web server

SIEM Query:

web.url:*key=* AND (web.url:*SELECT* OR web.url:*UNION* OR web.url:*INSERT* OR web.url:*UPDATE* OR web.url:*DELETE*)

📊 Metadata

CVE ID: CVE-2023-30151

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 13, 2023

Last Updated: April 29, 2025

🔗 References

https://addons.prestashop.com/en/shipping-carriers/1755-boxtal-connect-turnkey-shipping-solution.html Not Applicable
https://help.boxtal.com/hc/fr/articles/360001342977-J-ai-besoin-du-module-PrestaShop-ancienne-version-Boxtal-Envoimoinscher-pour-mon-site Permissions Required,Third Party Advisory
https://security.friendsofpresta.org/module/2023/06/20/envoimoinscher.html Exploit,Third Party Advisory
https://addons.prestashop.com/en/shipping-carriers/1755-boxtal-connect-turnkey-shipping-solution.html Not Applicable
https://help.boxtal.com/hc/fr/articles/360001342977-J-ai-besoin-du-module-PrestaShop-ancienne-version-Boxtal-Envoimoinscher-pour-mon-site Permissions Required,Third Party Advisory
https://security.friendsofpresta.org/module/2023/06/20/envoimoinscher.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30151, you might also want to check these: