CVE-2023-45387 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-45387?

CVE-2023-45387 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to perform SQL injection attacks on PrestaShop websites using the 'Product Catalog Export PRO' module. Attackers can potentially extract, modify, or delete database content, affecting all PrestaShop installations with this vulnerable module installed.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on PrestaShop websites using the 'Product Catalog Export PRO' module. Attackers can potentially extract, modify, or delete database content, affecting all PrestaShop installations with this vulnerable module installed.

💻 Affected Systems

Products:

Product Catalog (CSV, Excel, XML) Export PRO module for PrestaShop

Versions: All versions up to and including 5.0.0

Operating Systems: All operating systems running PrestaShop

Default Config Vulnerable: ⚠️ Yes

Notes: Affects PrestaShop installations with the exportproducts module enabled, regardless of PrestaShop version.

📦 What is this software?

Exportproducts by Myprestamodules

View all CVEs affecting Exportproducts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or remote code execution via database functions.

🟠

Likely Case

Data exfiltration of sensitive information including customer data, order history, and administrative credentials.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented at application layer.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable by unauthenticated guests via public-facing web interfaces.

🏢 Internal Only: LOW - The attack vector is primarily through web interfaces accessible to external users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via exportProduct::_addDataToDb() function requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 5.0.1 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/11/16/exportproducts.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Product Catalog Export PRO' module. 4. Update to version 5.0.1 or later. 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the exportproducts module until patching is possible.

UPDATE ps_module SET active = 0 WHERE name = 'exportproducts';

Web Application Firewall rule

all

Block SQL injection patterns targeting exportProduct endpoints.

ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"

🧯 If You Can't Patch

Implement network-level restrictions to limit access to PrestaShop admin and export functions
Enable database query logging and monitoring for suspicious SQL patterns

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Product Catalog Export PRO.

Check Version:

SELECT version FROM ps_module WHERE name = 'exportproducts';

Verify Fix Applied:

Confirm module version is 5.0.1 or higher and test export functionality works without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed export attempts from single IP
Long parameter values in web server logs for export endpoints

Network Indicators:

HTTP POST requests to export-related endpoints with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_server" AND (uri="/module/exportproducts/*" OR uri LIKE "%/export%") AND (param CONTAINS "UNION" OR param CONTAINS "SELECT" OR param CONTAINS "--" OR param CONTAINS "' OR '")

📊 Metadata

CVE ID: CVE-2023-45387

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 17, 2023

Last Updated: November 21, 2024

🔗 References

https://addons.prestashop.com/en/data-import-export/18662-product-catalog-csv-excel-xml-export-pro.html Product
https://security.friendsofpresta.org/modules/2023/11/16/exportproducts.html Patch,Third Party Advisory
https://addons.prestashop.com/en/data-import-export/18662-product-catalog-csv-excel-xml-export-pro.html Product
https://security.friendsofpresta.org/modules/2023/11/16/exportproducts.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45387, you might also want to check these: