Lucene search

GitHub_MCVELIST:CVE-2023-28843

HistoryMar 31, 2023 - 5:02 p.m.

CVE-2023-28843 Improper neutralization of SQL parameter in PayPal module for PrestaShop

2023-03-3117:02:27

CWE-89

GitHub_M

www.cve.org

sql injection

paypal module

prestashop

upgrade

vulnerability

remote attacker

privileges

data modification

system availability

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.2%

JSON

PrestaShop/paypal is an open source module for the PrestaShop web commerce ecosystem which provides paypal payment support. A SQL injection vulnerability found in the PrestaShop paypal module from release from 3.12.0 to and including 3.16.3 allow a remote attacker to gain privileges, modify data, and potentially affect system availability. The cause of this issue is that SQL queries were being constructed with user input which had not been properly filtered. Only deployments on PrestaShop 1.6 are affected. Users are advised to upgrade to module version 3.16.4. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "202ecommerce",
    "product": "paypal",
    "versions": [
      {
        "version": ">= 3.12.0, < 3.16.4",
        "status": "affected"
      }
    ]
  }
]

References

github.com/202ecommerce/paypal/commit/2f6884ea1d0fe4b58441699fcc1d6c56c7d733eb

github.com/202ecommerce/paypal/security/advisories/GHSA-66pc-8gh8-mx7m

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.2%

JSON

Related for CVELIST:CVE-2023-28843