Login Sign Up

CVE-2023-40920

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Prixan prixanconnect allows attackers to execute arbitrary SQL commands through the importProducts() function. It affects all users running versions up to v1.62 of the prixanconnect module for PrestaShop. Successful exploitation could lead to database compromise and potentially full system takeover.

💻 Affected Systems

Products:
  • Prixan prixanconnect module for PrestaShop
Versions: Up to and including v1.62
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects PrestaShop installations using the vulnerable prixanconnect module version.

📦 What is this software?

Prixanconnect by Prixan

View all CVEs affecting Prixanconnect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion; potential remote code execution leading to full system control.

🟠

Likely Case

Database information disclosure including customer data, order history, and administrative credentials; potential for data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place; database access restricted to necessary operations only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are commonly exploited; requires access to the vulnerable function which may require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.63 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/10/05/prixanconnect.html

Restart Required: No

Instructions:

1. Download latest version from official source. 2. Replace existing prixanconnect module files. 3. Clear PrestaShop cache. 4. Verify module functionality.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the prixanconnect module until patched

Navigate to PrestaShop admin > Modules > Module Manager > Find prixanconnect > Disable

Web Application Firewall rules

all

Implement WAF rules to block SQL injection patterns targeting the vulnerable endpoint

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Apply principle of least privilege to database user accounts

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > prixanconnect

Check Version:

Check PrestaShop admin panel or examine module files for version information

Verify Fix Applied:

Confirm module version is v1.63 or higher and test import functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed import attempts
  • Suspicious POST requests to importProducts endpoint

Network Indicators:

  • SQL injection patterns in HTTP requests
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND (uri="*importProducts*" AND (method="POST" OR method="GET") AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2023-40920
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40920, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)