Login Sign Up

CVE-2023-30191

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands on PrestaShop installations using the cdesigner module version 3.1.9 or earlier. Attackers can potentially access, modify, or delete database content. Any PrestaShop site with the vulnerable cdesigner module installed is affected.

💻 Affected Systems

Products:
  • PrestaShop cdesigner module
Versions: All versions < 3.1.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects PrestaShop installations with the cdesigner module installed and enabled.

📦 What is this software?

Cdesigner by Cdesigner Project

View all CVEs affecting Cdesigner →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to remote code execution.

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive information like customer data, admin credentials, or payment information.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via CdesignerTraitementModuleFrontController::initContent() method allows direct exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.9

Vendor Advisory: https://friends-of-presta.github.io/security-advisories/modules/2023/05/17/cdesigner-89.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'cdesigner' module. 4. Click 'Upgrade' to version 3.1.9 or later. 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable cdesigner module

all

Temporarily disable the vulnerable module until patching is possible

php /path/to/prestashop/bin/console prestashop:module disable cdesigner

Web Application Firewall rule

all

Block SQL injection patterns targeting cdesigner endpoints

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries at application level
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check cdesigner module version in PrestaShop admin panel under Modules > Module Manager

Check Version:

grep -r 'version' /path/to/prestashop/modules/cdesigner/ | grep -i '3.1'

Verify Fix Applied:

Confirm cdesigner module version is 3.1.9 or higher in module manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests to cdesigner module endpoints with SQL syntax

Network Indicators:

  • HTTP requests containing SQL keywords (SELECT, UNION, etc.) to cdesigner paths

SIEM Query:

source="web_logs" AND uri="*cdesigner*" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2023-30191
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 17, 2023
Last Updated: January 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30191, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)