CVE-2023-46349: SQL Injection
First published: Mon Nov 27 2023(Updated: )
In the module "Product Catalog (CSV, Excel) Export/Update" (updateproducts) < 3.8.5 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `productsUpdateModel::getExportIds()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Updateproducts Project | <3.8.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2023-46349.
What is the title of the vulnerability?
The title of the vulnerability is "In the module Product Catalog (CSV Excel) Export/Update (updateproducts) < 3.8.5 from MyPrestaModules for PrestaShop".
What is the severity of CVE-2023-46349?
The severity of CVE-2023-46349 is critical with a severity value of 9.8.
How can a guest perform SQL injection?
A guest can perform SQL injection by exploiting the sensitive SQL calls in the method productsUpdateModel::getExportIds().
How can I fix the vulnerability in the affected software version?
To fix the vulnerability, it is recommended to update the Product Catalog (CSV, Excel) Export/Update module to version 3.8.5 or above.
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/author
- agent/references
- agent/weakness
- agent/description
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- vendor/myprestamodules
- canonical/updateproducts project