Login Sign Up

CVE-2023-39640

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2023-39640 is a SQL injection vulnerability in UpLight cookiebanner module for PrestaShop that allows attackers to execute arbitrary SQL commands. This affects PrestaShop websites using the vulnerable cookiebanner module. Successful exploitation could lead to data theft, modification, or complete system compromise.

💻 Affected Systems

Products:
  • UpLight cookiebanner module for PrestaShop
Versions: All versions before 1.5.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects PrestaShop installations with the cookiebanner module installed and enabled.

📦 What is this software?

Cookie Law by Uplight

View all CVEs affecting Cookie Law →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data exfiltration, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthenticated attackers extracting sensitive data from the database including user credentials, payment information, and configuration secrets.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting query execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. The specific Hook::getHookModuleExecList() method appears to accept user input without proper sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.1

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/09/21/cookiebanner.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Search for 'cookiebanner'. 4. Click 'Upgrade' to version 1.5.1. 5. Clear PrestaShop cache from Advanced Parameters > Performance.

🔧 Temporary Workarounds

Disable cookiebanner module

all

Temporarily disable the vulnerable module until patching is possible

UPDATE ps_module SET active = 0 WHERE name = 'cookiebanner'

WAF rule for SQL injection

all

Implement web application firewall rules to block SQL injection patterns

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries at application level
  • Restrict database user permissions to minimum required operations

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > cookiebanner

Check Version:

SELECT version FROM ps_module WHERE name = 'cookiebanner'

Verify Fix Applied:

Confirm cookiebanner module version is 1.5.1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts from single IP
  • Unexpected database queries containing UNION, SELECT, or DROP statements

Network Indicators:

  • HTTP requests with SQL keywords in parameters
  • Abnormal database connection patterns from web server

SIEM Query:

source="web_logs" AND ("UNION SELECT" OR "1=1" OR "' OR '1'='1") AND uri="*cookiebanner*"

📊 Metadata

CVE ID: CVE-2023-39640
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: September 25, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39640, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)