Login Sign Up

CVE-2023-39649

9.8 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes an SQL injection vulnerability in the Theme Volty CMS Category Slider module for PrestaShop. Unauthenticated attackers can execute arbitrary SQL commands against the database, potentially compromising the entire PrestaShop installation. All PrestaShop installations using vulnerable versions of this module are affected.

💻 Affected Systems

Products:
  • Theme Volty CMS Category Slider module for PrestaShop
Versions: Up to version 4.0.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PrestaShop installation with the vulnerable module enabled.

📦 What is this software?

Theme Volty Cms Category Slider by Themevolty

View all CVEs affecting Theme Volty Cms Category Slider →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution via database functions, and full system takeover.

🟠

Likely Case

Database information disclosure including customer data, admin credentials, and sensitive business information.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized and this affects a popular e-commerce platform.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.0.2 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/09/26/tvcmscategoryslider.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Search for 'Theme Volty CMS Category Slider'. 4. Update to version 4.0.2 or later. 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the Theme Volty CMS Category Slider module until patched

UPDATE ps_module SET active = 0 WHERE name = 'tvcmscategoryslider';

Web Application Firewall rule

all

Add WAF rule to block SQL injection patterns targeting the vulnerable endpoint

ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in custom code
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Theme Volty CMS Category Slider

Check Version:

SELECT version FROM ps_module WHERE name = 'tvcmscategoryslider';

Verify Fix Applied:

Confirm module version is 4.0.2 or higher in the module manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in PrestaShop logs
  • Multiple failed SQL queries from single IP
  • Requests to tvcmscategoryslider endpoints with SQL keywords

Network Indicators:

  • HTTP requests containing SQL injection payloads to category slider endpoints
  • Unusual database traffic patterns

SIEM Query:

source="prestashop.log" AND ("SQL syntax" OR "mysql_error" OR "tvcmscategoryslider")

📊 Metadata

CVE ID: CVE-2023-39649
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39649, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)