Login Sign Up

CVE-2023-45377

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on PrestaShop installations using the Chronopost Official module. Attackers can potentially access, modify, or delete database content. All PrestaShop sites with the vulnerable Chronopost module are affected.

💻 Affected Systems

Products:
  • PrestaShop Chronopost Official module
Versions: All versions before patch
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Chronopost module to be installed and enabled on PrestaShop.

📦 What is this software?

Chronopost by Chronopost

View all CVEs affecting Chronopost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to remote code execution.

🟠

Likely Case

Database information disclosure, data manipulation, or privilege escalation affecting e-commerce operations.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, though SQL injection attempts may still be logged.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP access to cancelSkybill.php with crafted parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Updated Chronopost module version

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/11/21/chronopost.html

Restart Required: No

Instructions:

1. Update Chronopost module to latest version via PrestaShop admin panel. 2. Verify module update completes successfully. 3. Test functionality remains intact.

🔧 Temporary Workarounds

Disable vulnerable endpoint

linux

Temporarily block access to cancelSkybill.php file

mv modules/chronopost/cancelSkybill.php modules/chronopost/cancelSkybill.php.disabled

Web server access restriction

all

Configure web server to deny access to vulnerable script

Add 'Deny from all' to .htaccess for cancelSkybill.php directory

🧯 If You Can't Patch

  • Implement WAF rules to block SQL injection patterns targeting cancelSkybill.php
  • Restrict network access to PrestaShop admin interface and vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check if modules/chronopost/cancelSkybill.php exists and contains unsanitized SQL queries with user input.

Check Version:

Check PrestaShop admin panel → Modules → Module Manager for Chronopost version

Verify Fix Applied:

Verify cancelSkybill.php uses parameterized queries or has been removed/updated in module update.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /modules/chronopost/cancelSkybill.php with SQL keywords in parameters
  • Database error logs showing SQL syntax errors from Chronopost module

Network Indicators:

  • Unusual SQL queries originating from web server to database
  • HTTP traffic patterns matching SQL injection attempts

SIEM Query:

source="web_access.log" AND uri="/modules/chronopost/cancelSkybill.php" AND (param="SELECT" OR param="UNION" OR param="OR 1=1")

📊 Metadata

CVE ID: CVE-2023-45377
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 22, 2023
Last Updated: June 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45377, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)