CVE-2023-33280
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries via HTTP requests to the Store Commander scquickaccounting module for PrestaShop. Attackers can perform blind SQL injection to extract, modify, or delete database content. All PrestaShop installations using scquickaccounting module versions through 3.7.3 are affected.
💻 Affected Systems
- Store Commander scquickaccounting module for PrestaShop
📦 What is this software?
Quickaccounting by Storecommander
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including theft of customer data, financial records, and administrative credentials; potential for full system takeover via SQL injection to RCE chaining.
Likely Case
Data exfiltration of sensitive information including customer PII, order details, and potentially administrative credentials stored in the database.
If Mitigated
Limited impact with proper input validation, WAF rules, and database permission restrictions in place.
🎯 Exploit Status
Exploitation requires trivial HTTP requests with SQL injection payloads; blind SQL injection techniques are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.4 or later
Vendor Advisory: https://friends-of-presta.github.io/security-advisories/modules/2023/05/25/scquickaccounting.html
Restart Required: No
Instructions:
1. Update scquickaccounting module to version 3.7.4 or later via PrestaShop admin panel or manual installation. 2. Verify module update completed successfully. 3. Test functionality to ensure no regression.
🔧 Temporary Workarounds
Disable scquickaccounting module
allTemporarily disable the vulnerable module until patching is possible
Navigate to PrestaShop admin > Modules > Module Manager > Find scquickaccounting > Disable
WAF rule implementation
allImplement web application firewall rules to block SQL injection patterns targeting the module
Add WAF rule: Detect and block requests containing SQL keywords (SELECT, UNION, etc.) to scquickaccounting endpoints
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all scquickaccounting module endpoints
- Restrict database user permissions to minimum required (SELECT only, no DROP, INSERT, UPDATE)
🔍 How to Verify
Check if Vulnerable:
Check PrestaShop admin panel > Modules > Module Manager > scquickaccounting version. If version is 3.7.3 or earlier, system is vulnerable.Check Version:
Check via PrestaShop admin interface: Modules > Module Manager > scquickaccountingVerify Fix Applied:
Confirm scquickaccounting module version is 3.7.4 or later in PrestaShop admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in PrestaShop logs
- Multiple failed SQL queries from single IP to scquickaccounting endpoints
- HTTP requests with SQL keywords (UNION, SELECT, etc.) to module paths
Network Indicators:
- HTTP POST/GET requests to /modules/scquickaccounting/ with SQL injection payloads
- Unusual database query patterns from web server IP
SIEM Query:
source="prestashop.log" AND ("scquickaccounting" AND ("SQL" OR "syntax" OR "union" OR "select"))🔗 References
- https://friends-of-presta.github.io/security-advisories/modules/2023/05/25/scquickaccounting.html
- https://www.storecommander.com/en/addons/440-order-export-pro.html
- https://friends-of-presta.github.io/security-advisories/modules/2023/05/25/scquickaccounting.html
- https://www.storecommander.com/en/addons/440-order-export-pro.html
