Login Sign Up

CVE-2023-46353

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on PrestaShop installations using the vulnerable 'Product Tag Icons Pro' module. Attackers can potentially read, modify, or delete database content, including sensitive customer and administrative data. All PrestaShop sites using affected versions of this third-party module are vulnerable.

💻 Affected Systems

Products:
  • Product Tag Icons Pro (ticons) module for PrestaShop
Versions: All versions before 1.8.4
Operating Systems: Any OS running PrestaShop
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PrestaShop installation with the vulnerable module enabled. The module is from MyPresta.eu marketplace.

📦 What is this software?

Product Tag Icons Pro by Mypresta

View all CVEs affecting Product Tag Icons Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration of customer information (names, addresses, payment details), administrative credential theft, and website defacement.

🟢

If Mitigated

Limited impact if database permissions are restricted, but still potential for data leakage from accessible tables.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP requests to vulnerable endpoints. The advisory includes technical details that facilitate exploit development.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.4

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/11/28/ticons.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Product Tag Icons Pro' module. 4. Update to version 1.8.4 or later from MyPresta.eu marketplace. 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the module until patching is possible

Web Application Firewall rules

all

Block SQL injection patterns targeting the vulnerable endpoint

🧯 If You Can't Patch

  • Disable the 'Product Tag Icons Pro' module completely
  • Implement strict network filtering to limit access to PrestaShop admin and API endpoints

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Product Tag Icons Pro

Check Version:

No direct CLI command; check via PrestaShop admin interface

Verify Fix Applied:

Confirm module version is 1.8.4 or higher in the module manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in PrestaShop logs
  • Multiple requests to module endpoints with SQL-like parameters

Network Indicators:

  • HTTP requests containing SQL keywords (UNION, SELECT, etc.) to ticons-related endpoints

SIEM Query:

web.url:*ticons* AND (http.method:POST OR http.method:GET) AND (http.query:*UNION* OR http.query:*SELECT* OR http.query:*INSERT*)

📊 Metadata

CVE ID: CVE-2023-46353
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46353, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)