CVE-2023-46349
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on PrestaShop installations using the vulnerable 'Product Catalog (CSV, Excel) Export/Update' module. Attackers can potentially read, modify, or delete database content, including sensitive customer and order data. All PrestaShop sites using the affected module version are vulnerable.
💻 Affected Systems
- PrestaShop with MyPrestaModules 'Product Catalog (CSV, Excel) Export/Update' module
📦 What is this software?
Updateproducts by Myprestamodules
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.
Likely Case
Data exfiltration of customer PII, order details, and administrative credentials stored in the database.
If Mitigated
Limited impact if database permissions are restricted, but still potential for data leakage.
🎯 Exploit Status
Simple HTTP request with SQL injection payloads can exploit this vulnerability. Technical details are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.5
Vendor Advisory: https://security.friendsofpresta.org/modules/2023/11/23/updateproducts.html
Restart Required: No
Instructions:
1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Product Catalog (CSV, Excel) Export/Update' module. 4. Update to version 3.8.5 or later. 5. Clear PrestaShop cache if needed.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the module until patching is possible
UPDATE ps_module SET active = 0 WHERE name = 'updateproducts';
Restrict module access
linuxUse web server rules to block access to the vulnerable endpoint
# Apache: RewriteRule ^/modules/updateproducts/ - [F,L]
# Nginx: location ~ /modules/updateproducts/ { deny all; }
🧯 If You Can't Patch
- Implement WAF rules to block SQL injection patterns targeting the vulnerable endpoint
- Restrict database user permissions to minimize potential damage from successful exploitation
🔍 How to Verify
Check if Vulnerable:
Check module version in PrestaShop admin panel under Modules > Module Manager > 'Product Catalog (CSV, Excel) Export/Update'Check Version:
SELECT version FROM ps_module WHERE name = 'updateproducts';Verify Fix Applied:
Confirm module version is 3.8.5 or higher in the module manager📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in PrestaShop logs
- Multiple requests to /modules/updateproducts/ with SQL-like parameters
- Unexpected database queries from web server process
Network Indicators:
- HTTP requests to /modules/updateproducts/ with SQL keywords in parameters
- Unusual database traffic patterns from web server
SIEM Query:
web.url:*updateproducts* AND (web.param:*UNION* OR web.param:*SELECT* OR web.param:*INSERT* OR web.param:*UPDATE* OR web.param:*DELETE*)