CVE-2023-31671 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2023-31671?

CVE-2023-31671 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to execute arbitrary SQL commands on PrestaShop installations using the PostFinance payment module version 17.1.13 or earlier. Attackers can potentially access, modify, or delete database content, including sensitive customer and payment information. All PrestaShop sites using the vulnerable PostFinance module are affected.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands on PrestaShop installations using the PostFinance payment module version 17.1.13 or earlier. Attackers can potentially access, modify, or delete database content, including sensitive customer and payment information. All PrestaShop sites using the vulnerable PostFinance module are affected.

💻 Affected Systems

Products:

PrestaShop PostFinance payment module

Versions: <= 17.1.13

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PrestaShop installations with the PostFinance payment module installed and enabled.

📦 What is this software?

Postfinance by Webbax

View all CVEs affecting Postfinance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, payment information exposure, site defacement, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Database information disclosure including customer data, order details, and potentially payment information extraction.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via PostfinanceValidationModuleFrontController::postProcess() method. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 17.1.13

Vendor Advisory: https://friends-of-presta.github.io/security-advisories/modules/2023/06/13/postfinance.html

Restart Required: No

Instructions:

1. Update PostFinance module to latest version. 2. Remove old module files. 3. Upload new module files via PrestaShop admin panel. 4. Clear cache.

🔧 Temporary Workarounds

Disable PostFinance module

all

Temporarily disable the vulnerable payment module until patching is possible

Navigate to PrestaShop admin > Modules > Module Manager > PostFinance > Disable

WAF rule implementation

all

Implement web application firewall rules to block SQL injection patterns targeting the vulnerable endpoint

Add WAF rule: Block requests containing SQL injection patterns to /module/postfinance/validation

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs to the PostFinance module
Restrict database user permissions to minimum required privileges (SELECT only if possible)

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > PostFinance

Check Version:

Check PrestaShop admin panel or examine module files for version information

Verify Fix Applied:

Verify PostFinance module version is > 17.1.13 and test payment functionality works correctly

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed payment validation attempts
Requests to /module/postfinance/validation with SQL patterns

Network Indicators:

HTTP POST requests to PostFinance validation endpoint with SQL injection payloads

SIEM Query:

source="web_logs" AND uri="/module/postfinance/validation" AND (payload CONTAINS "UNION" OR payload CONTAINS "SELECT" OR payload CONTAINS "INSERT" OR payload CONTAINS "DELETE")

📊 Metadata

CVE ID: CVE-2023-31671

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 14, 2023

Last Updated: January 6, 2025

🔗 References

https://friends-of-presta.github.io/security-advisories/modules/2023/06/13/postfinance.html Patch,Third Party Advisory
https://shop.webbax.ch/modules-de-paiement/123-module-postfinance.html Product
https://friends-of-presta.github.io/security-advisories/modules/2023/06/13/postfinance.html Patch,Third Party Advisory
https://shop.webbax.ch/modules-de-paiement/123-module-postfinance.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31671, you might also want to check these: