CVE-2023-33278 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-33278?

CVE-2023-33278 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute blind SQL injection attacks via HTTP requests to the Store Commander scexportcustomers module in PrestaShop. It affects PrestaShop installations using the vulnerable module version, potentially exposing sensitive database information including customer data, credentials, and configuration details.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute blind SQL injection attacks via HTTP requests to the Store Commander scexportcustomers module in PrestaShop. It affects PrestaShop installations using the vulnerable module version, potentially exposing sensitive database information including customer data, credentials, and configuration details.

💻 Affected Systems

Products:

PrestaShop with Store Commander scexportcustomers module

Versions: scexportcustomers module through version 3.6.1

Operating Systems: All platforms running PrestaShop

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the scexportcustomers module to be installed and enabled. The vulnerability is in the module, not core PrestaShop.

📦 What is this software?

Customers Export by Storecommander

View all CVEs affecting Customers Export →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Extraction of sensitive customer data (PII, payment information), admin credentials, and database schema information.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and input validation is enforced elsewhere.

🌐 Internet-Facing: HIGH - Exploitable via HTTP requests without authentication, making internet-facing instances immediately vulnerable.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires trivial HTTP requests with SQL injection payloads. Public proof-of-concept demonstrates blind SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: scexportcustomers module version 3.6.2 or later

Vendor Advisory: https://friends-of-presta.github.io/security-advisories/modules/2023/05/25/scexportcustomers.html

Restart Required: No

Instructions:

1. Update the scexportcustomers module to version 3.6.2 or later via PrestaShop admin panel or manual installation. 2. Verify the module version in the module manager. 3. Clear any PrestaShop cache if applicable.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the scexportcustomers module until patched

Navigate to PrestaShop admin > Modules > Module Manager > Find scexportcustomers > Disable

Web Application Firewall rule

all

Block SQL injection patterns targeting the module endpoint

Add WAF rule to block requests containing SQL keywords to /modules/scexportcustomers/

🧯 If You Can't Patch

Disable the scexportcustomers module immediately
Implement network-level restrictions to limit access to the module endpoint

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > scexportcustomers. If version is 3.6.1 or earlier, you are vulnerable.

Check Version:

Check PrestaShop database: SELECT version FROM ps_module WHERE name = 'scexportcustomers';

Verify Fix Applied:

Confirm module version is 3.6.2 or later in the module manager. Test the export functionality to ensure it works without errors.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /modules/scexportcustomers/ with SQL keywords (UNION, SELECT, INSERT, etc.)
Unusual database query patterns from web server IP

Network Indicators:

HTTP POST/GET requests to module endpoint with encoded SQL payloads
Multiple rapid requests to customer export functionality

SIEM Query:

web.url:*scexportcustomers* AND (web.query:*UNION* OR web.query:*SELECT* OR web.query:*INSERT*)

📊 Metadata

CVE ID: CVE-2023-33278

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 25, 2023

Last Updated: January 16, 2025

🔗 References

https://friends-of-presta.github.io/security-advisories/modules/2023/05/25/scexportcustomers.html Third Party Advisory
https://www.storecommander.com/en/addons/480-customer-export-pro.html Vendor Advisory
https://friends-of-presta.github.io/security-advisories/modules/2023/05/25/scexportcustomers.html Third Party Advisory
https://www.storecommander.com/en/addons/480-customer-export-pro.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33278, you might also want to check these: