Cyber Resilience

CVE-2023-39526

Critical

Published: 07 August 2023

Published
07 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1387 94.5th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-39526 is a critical-severity SQL Injection (CWE-89) vulnerability in Prestashop Prestashop. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

PrestaShop is an open source e-commerce web application affected by CVE-2023-39526, a remote code execution flaw present in all versions prior to 1.7.8.10, 8.0.5, and 8.1.1. The vulnerability arises from a combination of SQL injection and arbitrary file write capabilities within the back-office administrative interface and is tracked under CWE-89.

An authenticated attacker with back-office privileges can exploit the issue over the network to inject SQL statements and write arbitrary files, ultimately achieving remote code execution on the server with impacts to confidentiality, integrity, and availability. The CVSS 9.1 score reflects the high severity of this attack path when the attacker already possesses administrative credentials.

Official patches addressing the flaw are available in the referenced PrestaShop security advisory GHSA-gf46-prm4-56pc and the corresponding code commit that resolves the injection and file-write vectors. No workarounds are documented. The associated EPSS score has remained flat at 0.1387 with no material increase since disclosure.

EU & UK References

Vulnerability details

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch.…

more

There are no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

prestashop
prestashop
8.1.0 · ≤ 1.7.8.10 · 8.0.0 — 8.0.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References