Login Sign Up

CVE-2023-39646

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on PrestaShop installations using the Theme Volty CMS Category Chain Slider module. Attackers can potentially read, modify, or delete database content, including sensitive customer data. All PrestaShop sites using the vulnerable module version are affected.

💻 Affected Systems

Products:
  • Theme Volty CMS Category Chain Slider module for PrestaShop
Versions: Up to version 4.0.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Module must be installed and enabled; vulnerability is exploitable by guest/unauthenticated users.

📦 What is this software?

Theme Volty Cms Category Chain Slider by Themevolty

View all CVEs affecting Theme Volty Cms Category Chain Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to remote code execution chaining.

🟠

Likely Case

Database information disclosure including customer PII, order data, and administrative credentials, potentially leading to site defacement or further attacks.

🟢

If Mitigated

Limited impact with proper database permissions, query sanitization, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized; public details available in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.0.2 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/09/26/tvcmscategorychainslider.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Search for 'Theme Volty CMS Category Chain Slider'. 4. Update to version 4.0.2 or later. 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the module until patching is possible

UPDATE ps_module SET active = 0 WHERE name = 'tvcmscategorychainslider';

Apply WAF rules

all

Implement web application firewall rules to block SQL injection patterns

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the PrestaShop instance
  • Enable detailed SQL query logging and monitor for injection patterns

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Theme Volty CMS Category Chain Slider

Check Version:

SELECT version FROM ps_module WHERE name = 'tvcmscategorychainslider';

Verify Fix Applied:

Confirm module version is 4.0.2 or higher in admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in web server logs
  • Multiple failed SQL queries from single IP
  • Requests with SQL keywords in parameters

Network Indicators:

  • HTTP requests containing SQL syntax in GET/POST parameters
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND ("sql" OR "union" OR "select" OR "insert" OR "update" OR "delete") AND uri_path="*tvcmscategorychainslider*"

📊 Metadata

CVE ID: CVE-2023-39646
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39646, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)