CVE-2023-36263
📋 TL;DR
CVE-2023-36263 is a critical SQL injection vulnerability in the Prestashop opartlimitquantity module. Attackers can execute arbitrary SQL commands via a simple HTTP request to the vulnerable endpoint, potentially compromising the entire database. All Prestashop installations using opartlimitquantity version 1.4.5 or earlier are affected.
💻 Affected Systems
- Prestashop opartlimitquantity module
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.
Likely Case
Database information disclosure, data manipulation, and potential administrative access to the Prestashop backend.
If Mitigated
Limited impact if proper WAF rules, input validation, and database permissions are in place.
🎯 Exploit Status
Exploitation requires only a crafted HTTP request to the vulnerable endpoint. Public exploit details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.6 or later
Vendor Advisory: https://security.friendsofpresta.org/modules/2023/10/25/opartlimitquantity.html
Restart Required: No
Instructions:
1. Update the opartlimitquantity module to version 1.4.6 or later via Prestashop module manager. 2. Clear Prestashop cache. 3. Verify the module is functioning correctly.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the opartlimitquantity module until patching is possible.
Navigate to Prestashop admin > Modules > Module Manager > Disable opartlimitquantity
WAF rule blocking
allImplement WAF rules to block requests to the vulnerable endpoint.
Block requests to: /modules/opartlimitquantity/alertlimit?action=displayAjaxPushAlertMessage
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries at application level
- Restrict database user permissions to minimum required privileges
🔍 How to Verify
Check if Vulnerable:
Check module version in Prestashop admin: Modules > Module Manager > opartlimitquantity > VersionCheck Version:
Check Prestashop database: SELECT version FROM ps_module WHERE name = 'opartlimitquantity'Verify Fix Applied:
Confirm module version is 1.4.6 or later and test the vulnerable endpoint is no longer accessible or properly sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /modules/opartlimitquantity/alertlimit with SQL injection patterns in parameters
- Unusual database queries from Prestashop application user
Network Indicators:
- HTTP POST/GET requests to vulnerable endpoint with SQL payloads in parameters
SIEM Query:
source="web_access_logs" AND uri="/modules/opartlimitquantity/alertlimit" AND (param="id_product" OR param="id_product_attribute") AND (payload="UNION" OR payload="SELECT" OR payload="INSERT" OR payload="UPDATE" OR payload="DELETE")