CVE-2023-27637 Scanner

PrestaShop is an open-source e-commerce solution that is widely used by online retailers to build their online stores. The platform includes a variety of modules, such as the tshirtecommerce module, which allows merchants to offer custom product designs to their customers. Businesses around the world rely on PrestaShop for its flexibility and customizability, making it a popular choice for e-commerce. The tshirtecommerce module enhances the functionality of PrestaShop by enabling users to customize products, which is a valuable feature for merchants providing bespoke services. It is developed by third-party vendors and can be integrated into existing PrestaShop installations to enhance customer experience. PrestaShop, with its extensive community support and rich feature set, is a vital tool for businesses looking to expand their online presence.

The detected vulnerability within the PrestaShop tshirtecommerce module is a critical SQL Injection. SQL Injection is a code injection technique used to attack data-driven applications by inserting malicious SQL statements into an entry field for execution. In this specific case, the vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on the database via the designer endpoint. This vulnerability could potentially expose sensitive information stored in the database, making it a significant threat to data security and integrity. The accessibility of the vulnerability without authentication increases its risk, as attackers do not need valid credentials to exploit it. Overall, this SQL Injection vulnerability compromises the data security of the PrestaShop tshirtecommerce module installations.

Technical details reveal that the vulnerable endpoint is the designer function within the tshirtecommerce module, specifically when accessed with certain query strings in the URL. The vulnerability is exploited using specially crafted requests such as injecting SQL commands through parameters like `product_id` and `parent_id`. The SQL statements can manipulate the database server, potentially allowing a sleep command to delay responses and verify successful injection attacks. The matcher criteria for detecting this vulnerability include analyzing the duration of responses and checking the status code and specific contents in the response body. The risk is elevated by the ease of crafting requests to exploit this weakness, highlighting the need for urgent remediation.

Exploitation of this vulnerability can have severe impacts on affected systems. Attackers can gain unauthorized access to sensitive data stored in the e-commerce platform's database, such as customer information, transaction records, and business-critical configurations. The exposure of such data poses significant privacy and financial risks to both vendors and their customers. Furthermore, attackers could potentially manipulate or delete critical data, causing downtime and operational challenges. The public exposure of sensitive information may lead to reputational damage and legal repercussions for the affected businesses, emphasizing the importance of addressing this vulnerability promptly.

REFERENCES

• https://security.friendsofpresta.org/module/2023/03/21/tshirtecommerce_cwe-89.html
• https://nvd.nist.gov/vuln/detail/CVE-2023-27637
• https://codecanyon.net/item/prestashop-custom-product-designer/19202018
• https://tshirtecommerce.com/