Login Sign Up

CVE-2023-39652

9.8 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes a SQL injection vulnerability in the theme volty tvcmsvideotab module for PrestaShop. Attackers can exploit this to execute arbitrary SQL commands on the database. Any PrestaShop installation using this vulnerable module is affected.

💻 Affected Systems

Products:
  • theme volty tvcmsvideotab module for PrestaShop
Versions: up to v4.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects PrestaShop installations with this specific module installed and enabled.

📦 What is this software?

Theme Volty Video Tab by Themevolty

View all CVEs affecting Theme Volty Video Tab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Database information disclosure, data manipulation, or privilege escalation within the PrestaShop application.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, or if database user has minimal privileges.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the module's front controller, but specific authentication requirements are not detailed in available references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.0.1 or later

Vendor Advisory: https://themevolty.com/

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'tvcmsvideotab' module. 4. Update to version 4.0.1 or later. 5. Clear cache if necessary.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the tvcmsvideotab module until patched

Navigate to PrestaShop admin > Modules > Module Manager > Find tvcmsvideotab > Click Disable

WAF rule implementation

all

Implement web application firewall rules to block SQL injection patterns targeting this module

Depends on specific WAF solution - create rule to block suspicious SQL patterns in requests to TvcmsVideoTabConfirmDeleteModuleFrontController

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in the module code
  • Restrict database user permissions to minimum required for module functionality

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel: Modules > Module Manager > Find tvcmsvideotab > Check version number

Check Version:

No single command - check via PrestaShop admin interface as described above

Verify Fix Applied:

Verify module version is 4.0.1 or higher in module manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in PrestaShop logs
  • Multiple failed login attempts or unusual database queries

Network Indicators:

  • HTTP requests containing SQL injection patterns targeting the TvcmsVideoTabConfirmDeleteModuleFrontController endpoint

SIEM Query:

web.url:*TvcmsVideoTabConfirmDeleteModuleFrontController* AND (web.query:*SELECT* OR web.query:*UNION* OR web.query:*OR 1=1*)

📊 Metadata

CVE ID: CVE-2023-39652
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39652, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)