CVE-2023-30839

CRITICAL

Prestashop < 1.7.8.9 - SQL Injection

Title source: rule

Description

PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.

Exploits (1)

nomisec WRITEUP

by drkbcn · poc

https://github.com/drkbcn/lblfixer_cve_2023_30839

View Code ZIP pw:eip

References (3)

[Patch] https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30

[Patch] https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149

[Vendor Advisory] https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822

Scores

CVSS v3 9.9

EPSS 0.0946

EPSS Percentile 92.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

prestashop/prestashop < 1.7.8.9

prestashop/prestashop 8.0.0 - 8.0.4Packagist

Published Apr 25, 2023

Tracked Since Feb 18, 2026