Login Sign Up

CVE-2023-46351

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on PrestaShop installations using the mib module from MyPresta.eu. Attackers can potentially access, modify, or delete database content, including sensitive customer data. All PrestaShop sites using the vulnerable mib module are affected.

💻 Affected Systems

Products:
  • PrestaShop mib module from MyPresta.eu
Versions: All versions < 1.6.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects PrestaShop installations with the mib module installed and enabled.

📦 What is this software?

Manufacturers \(brands\) Images Block by Mypresta

View all CVEs affecting Manufacturers \(brands\) Images Block →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Data exfiltration of customer information, order details, and administrative credentials stored in the database.

🟢

If Mitigated

Limited impact if proper input validation and prepared statements are implemented, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP access to the vulnerable endpoint with crafted parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.1

Vendor Advisory: https://mypresta.eu/modules/front-office-features/manufacturers-brands-images-block.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'mib' module. 4. Click 'Upgrade' to version 1.6.1 or later. 5. Alternatively, download from MyPresta.eu and manually upload.

🔧 Temporary Workarounds

Disable mib module

all

Temporarily disable the vulnerable module until patching is possible.

Navigate to Modules > Module Manager in PrestaShop admin, find 'mib', click 'Disable'

WAF rule for SQL injection

all

Implement web application firewall rules to block SQL injection patterns targeting the vulnerable endpoint.

Add WAF rule: Block requests containing SQL keywords to /modules/mib/mib.php

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in the mib::getManufacturersByCategory() method
  • Restrict access to the vulnerable endpoint using IP whitelisting or authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin under Modules > Module Manager > mib module details.

Check Version:

SELECT version FROM ps_module WHERE name = 'mib'

Verify Fix Applied:

Confirm mib module version is 1.6.1 or higher in module details.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in PrestaShop logs
  • Multiple requests to /modules/mib/mib.php with SQL-like parameters

Network Indicators:

  • HTTP requests to vulnerable endpoint with SQL injection payloads in parameters

SIEM Query:

source="prestashop.log" AND "mib" AND ("SQL" OR "syntax" OR "UNION" OR "SELECT")

📊 Metadata

CVE ID: CVE-2023-46351
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: January 19, 2024
Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46351, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)