CVE-2023-45386 – This SQL injection vulnerability in the extrata... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in the extratabspro PrestaShop module allows unauthenticated attackers to execute arbitrary SQL commands. All PrestaShop installations using vulnerable versions of this module are affected, potentially leading to complete database compromise.

💻 Affected Systems

Products:

PrestaShop extratabspro module

Versions: All versions before 2.2.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the extratabspro module to be installed and enabled on PrestaShop.

📦 What is this software?

Product Extra Tabs Pro by Mypresta

View all CVEs affecting Product Extra Tabs Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database takeover allowing data theft, modification, or deletion, potentially leading to remote code execution via database functions.

🟠

Likely Case

Data exfiltration of customer information, order data, and administrative credentials stored in the database.

🟢

If Mitigated

Limited impact if database user has minimal privileges and input validation blocks malicious payloads.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward via HTTP requests to vulnerable endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.8

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/10/12/extratabspro.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel
2. Navigate to Modules > Module Manager
3. Search for 'extratabspro'
4. Click 'Upgrade' to version 2.2.8
5. Clear PrestaShop cache

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the extratabspro module until patching is possible

UPDATE ps_module SET active = 0 WHERE name = 'extratabspro';

Web Application Firewall rule

linux

Block requests to vulnerable endpoints

LocationMatch "\/modules\/extratabspro\/"
    Deny from all

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application level
Restrict database user permissions to minimum required operations

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > extratabspro

Check Version:

SELECT version FROM ps_module WHERE name = 'extratabspro';

Verify Fix Applied:

Confirm module version shows 2.2.8 or higher in admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple requests to /modules/extratabspro/ endpoints with SQL keywords

Network Indicators:

HTTP POST/GET requests containing SQL injection payloads to vulnerable endpoints

SIEM Query:

source="webserver.log" AND ("extratabspro" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE"))

📊 Metadata

CVE ID: CVE-2023-45386

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: October 17, 2023

Last Updated: November 21, 2024

🔗 References

https://security.friendsofpresta.org/modules/2023/10/12/extratabspro.html Exploit,Patch,Third Party Advisory
https://security.friendsofpresta.org/modules/2023/10/12/extratabspro.html Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45386, you might also want to check these: