CVE-2023-30154
CRITICALAfterMail < 2.2.1 - SQL Injection via id_customer, id_conf, id_product, and token Parameters
Title source: llmDescription
Multiple improper neutralization of SQL parameters in module AfterMail (aftermailpresta) for PrestaShop, before version 2.2.1, allows remote attackers to perform SQL injection attacks via `id_customer`, `id_conf`, `id_product` and `token` parameters in `aftermailajax.php via the 'id_product' parameter in hooks DisplayRightColumnProduct and DisplayProductButtons.
References (1)
Core 1
Core References
Patch, Third Party Advisory
https://security.friendsofpresta.org/modules/2023/10/10/aftermailpresta.html
Scores
CVSS v3
9.8
EPSS
0.0060
EPSS Percentile
44.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
shoprunners/aftermail
< 2.2.1
Published
Oct 14, 2023
Tracked Since
Feb 18, 2026