CVE-2023-30154
📋 TL;DR
This CVE describes SQL injection vulnerabilities in the AfterMail module for PrestaShop that allow remote attackers to execute arbitrary SQL commands. Attackers can exploit parameters like id_customer, id_conf, id_product, and token to potentially access, modify, or delete database content. All PrestaShop installations using vulnerable versions of the AfterMail module are affected.
💻 Affected Systems
- PrestaShop AfterMail module (aftermailpresta)
📦 What is this software?
Aftermail by Shoprunners
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized access to sensitive customer data, order information, and administrative credentials stored in the database.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database user privilege restrictions in place.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized, and the public disclosure includes technical details enabling exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.1
Vendor Advisory: https://security.friendsofpresta.org/modules/2023/10/10/aftermailpresta.html
Restart Required: No
Instructions:
1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find AfterMail module. 4. Update to version 2.2.1 or later. 5. Clear PrestaShop cache if needed.
🔧 Temporary Workarounds
Disable AfterMail module
allTemporarily disable the vulnerable module until patching is possible
Navigate to PrestaShop admin > Modules > Module Manager > AfterMail > Disable
Web Application Firewall rules
allBlock SQL injection patterns targeting aftermailajax.php
Configure WAF to block requests containing SQL injection patterns to /modules/aftermailpresta/aftermailajax.php
🧯 If You Can't Patch
- Disable the AfterMail module completely via PrestaShop admin interface
- Implement network-level blocking of requests to aftermailajax.php using firewall rules
🔍 How to Verify
Check if Vulnerable:
Check AfterMail module version in PrestaShop admin panel under Modules > Module Manager > AfterMailCheck Version:
Check PrestaShop database: SELECT version FROM ps_module WHERE name = 'aftermailpresta'Verify Fix Applied:
Confirm AfterMail module version is 2.2.1 or higher in PrestaShop admin📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in web server logs
- Multiple requests to aftermailajax.php with SQL-like parameters
- Database query errors containing AfterMail-related SQL
Network Indicators:
- HTTP POST/GET requests to /modules/aftermailpresta/aftermailajax.php with SQL injection payloads
- Unusual database traffic patterns from web server
SIEM Query:
source="web_server_logs" AND (uri="/modules/aftermailpresta/aftermailajax.php" AND (message="SQL" OR message="syntax" OR parameters CONTAINS "UNION" OR parameters CONTAINS "SELECT"))