CVE-2023-46357 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: How do I fix CVE-2023-46357?

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Cross Selling in Modal Cart' module. 4. Update to version 3.5.0 or later. 5. Clear PrestaShop cache.

Q: What is the severity of CVE-2023-46357?

CVE-2023-46357 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on PrestaShop installations using the 'Cross Selling in Modal Cart' module (motivationsale) versions below 3.5.0. Attackers can steal sensitive data, modify database content, or potentially gain administrative access. Any PrestaShop site with this vulnerable module installed is affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on PrestaShop installations using the 'Cross Selling in Modal Cart' module (motivationsale) versions below 3.5.0. Attackers can steal sensitive data, modify database content, or potentially gain administrative access. Any PrestaShop site with this vulnerable module installed is affected.

💻 Affected Systems

Products:

Cross Selling in Modal Cart (motivationsale) module for PrestaShop

Versions: All versions < 3.5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PrestaShop installation with the motivationsale module enabled. Guest access is sufficient for exploitation.

📦 What is this software?

Cross Selling In Modal Cart by Myprestamodules

View all CVEs affecting Cross Selling In Modal Cart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation to admin, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration of customer information, order details, and potentially administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions, though SQL injection remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to vulnerable endpoints. Technical details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.0

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/11/21/motivationsale.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Cross Selling in Modal Cart' module. 4. Update to version 3.5.0 or later. 5. Clear PrestaShop cache.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the motivationsale module until patching is possible

UPDATE ps_module SET active = 0 WHERE name = 'motivationsale';

Web Application Firewall rule

linux

Block SQL injection patterns targeting motivationsale endpoints

ModSecurity rule: SecRule REQUEST_URI "@contains motivationsale" "id:1001,phase:2,deny,status:403,msg:'Block motivationsale SQLi attempt'"

🧯 If You Can't Patch

Disable the motivationsale module immediately
Implement strict input validation and parameterized queries at application level

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Cross Selling in Modal Cart

Check Version:

SELECT version FROM ps_module WHERE name = 'motivationsale';

Verify Fix Applied:

Confirm module version is 3.5.0 or higher in admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in PrestaShop logs
Multiple requests to motivationsale endpoints with SQL-like parameters

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, etc.) targeting motivationsale endpoints

SIEM Query:

source="prestashop.log" AND "motivationsale" AND ("SQL" OR "syntax" OR "UNION" OR "SELECT")

📊 Metadata

CVE ID: CVE-2023-46357

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 22, 2023

Last Updated: November 21, 2024

🔗 References

https://addons.prestashop.com/fr/ventes-croisees-packs-produits/16122-cross-selling-in-modal-cart.html Product
https://security.friendsofpresta.org/modules/2023/11/21/motivationsale.html Patch,Third Party Advisory
https://addons.prestashop.com/fr/ventes-croisees-packs-produits/16122-cross-selling-in-modal-cart.html Product
https://security.friendsofpresta.org/modules/2023/11/21/motivationsale.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46357, you might also want to check these: