Login Sign Up

CVE-2023-50061

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands on PrestaShop installations using the Op'art Easy Redirect module. Attackers can potentially read, modify, or delete database content, including sensitive customer data. All PrestaShop sites using affected versions of the Op'art Easy Redirect module are vulnerable.

💻 Affected Systems

Products:
  • PrestaShop Op'art Easy Redirect module
Versions: >= 1.3.8 and <= 1.3.12
Operating Systems: All platforms running PrestaShop
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PrestaShop installation with the vulnerable module enabled.

📦 What is this software?

Op\'art Easy Redirect by Store Opart

View all CVEs affecting Op\'art Easy Redirect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, website defacement, or full system takeover through SQL injection to remote code execution chaining.

🟠

Likely Case

Database information disclosure including customer data, admin credentials, and configuration secrets.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection remains dangerous.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via hookActionDispatcher() function suggests straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.13 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2024/02/08/oparteasyredirect.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel
2. Navigate to Modules > Module Manager
3. Search for 'Op'art Easy Redirect'
4. Update to version 1.3.13 or later
5. Clear PrestaShop cache

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the Op'art Easy Redirect module until patched

Web Application Firewall rules

all

Implement WAF rules to block SQL injection patterns targeting hookActionDispatcher

🧯 If You Can't Patch

  • Disable the Op'art Easy Redirect module immediately
  • Implement strict input validation and parameterized queries at application level

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Op'art Easy Redirect

Check Version:

No direct command; check via PrestaShop admin interface

Verify Fix Applied:

Confirm module version is 1.3.13 or later in admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests to hookActionDispatcher with SQL-like parameters
  • Database error messages containing SQL syntax

Network Indicators:

  • HTTP POST requests with SQL injection payloads targeting the vulnerable endpoint

SIEM Query:

web_requests WHERE url CONTAINS 'hookActionDispatcher' AND (params CONTAINS 'UNION' OR params CONTAINS 'SELECT' OR params CONTAINS 'OR 1=1')

📊 Metadata

CVE ID: CVE-2023-50061
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: February 8, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50061, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)