Security News > 2023 > April > PrestaShop fixes bug that lets any backend user delete databases

PrestaShop fixes bug that lets any backend user delete databases
2023-04-26 19:30

The open-source e-commerce platform PrestaShop has released a new version that addresses a critical-severity vulnerability allowing any back-office user to write, update, or delete SQL databases regardless of their permissions.

The permissions of each user are set so that they're only allowed to access the information and features necessary for their role, which is a crucial security feature of PrestaShop.

Tracked as CVE-2023-30839, the critical allows any user, regardless of their permissions, to perform unauthorized modifications on the online store's database, potentially causing significant damage or service outage to impacted businesses.

While the need to have a user account on the vulnerable site somewhat mitigates the vulnerability, considering that online shops often employ large teams to handle orders, the flaw introduces a risk of allowing rogue or disgruntled employees to cause damage.

It opens up a larger attack surface for hackers, who can now compromise any user account on PrestaShop-based e-commerce sites and potentially inject malicious code and backdoors or gain access to the SQL database.

Backdoor injections through website databases is a stealthy attack tactic Sucuri recently reported gaining traction in the wild, targeting mainly WordPress sites.


News URL

https://www.bleepingcomputer.com/news/security/prestashop-fixes-bug-that-lets-any-backend-user-delete-databases/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-04-25 CVE-2023-30839 SQL Injection vulnerability in Prestashop
PrestaShop is an Open Source e-commerce web application.
network
low complexity
prestashop CWE-89
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Prestashop 26 0 52 20 32 104