CVE-2023-39526
Published: 07 August 2023
Summary
CVE-2023-39526 is a critical-severity SQL Injection (CWE-89) vulnerability in Prestashop Prestashop. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
PrestaShop is an open source e-commerce web application affected by CVE-2023-39526, a remote code execution flaw present in all versions prior to 1.7.8.10, 8.0.5, and 8.1.1. The vulnerability arises from a combination of SQL injection and arbitrary file write capabilities within the back-office administrative interface and is tracked under CWE-89.
An authenticated attacker with back-office privileges can exploit the issue over the network to inject SQL statements and write arbitrary files, ultimately achieving remote code execution on the server with impacts to confidentiality, integrity, and availability. The CVSS 9.1 score reflects the high severity of this attack path when the attacker already possesses administrative credentials.
Official patches addressing the flaw are available in the referenced PrestaShop security advisory GHSA-gf46-prm4-56pc and the corresponding code commit that resolves the injection and file-write vectors. No workarounds are documented. The associated EPSS score has remained flat at 0.1387 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2292
Vulnerability details
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch.…
more
There are no known workarounds.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.