Platform
php
Component
prestashop-google-integrator
Fixed in
2.1.5
A critical SQL Injection vulnerability (CVE-2023-6921) has been identified in the PrestaShop Google Integrator plugin, affecting versions from 0.0 up to and including 2.1.4. This flaw allows attackers to inject malicious SQL commands, potentially leading to unauthorized data extraction and modification. The vulnerability is triggered through command insertion within a cookie, making exploitation relatively straightforward. A fix is available in version 2.1.4.
The impact of this SQL Injection vulnerability is severe. An attacker can leverage it to bypass authentication and authorization mechanisms, gaining unauthorized access to the PrestaShop database. This could lead to the theft of sensitive customer data, including usernames, passwords, addresses, and payment information. Furthermore, attackers could modify product details, pricing, or inventory levels, disrupting business operations. The ability to modify data also opens the door to more sophisticated attacks, such as injecting malicious code into the database to compromise the entire PrestaShop installation. The cookie-based injection method simplifies exploitation, potentially allowing for automated attacks and widespread compromise.
CVE-2023-6921 was publicly disclosed on January 8, 2024. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target for attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
0.20% (42% percentile)
CVSS Vector
The primary mitigation for CVE-2023-6921 is to immediately upgrade the PrestaShop Google Integrator plugin to version 2.1.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL commands within cookie parameters. Specifically, look for unusual characters or patterns indicative of SQL injection attempts. Additionally, carefully review and sanitize all user inputs, particularly those received through cookies, to prevent further exploitation. After upgrading, confirm the fix by attempting to inject a simple SQL query through a cookie and verifying that it does not return any database information.
Update the PrestaShop Google Integrator module to version 2.1.4 or higher. This update fixes the SQL Injection vulnerability. You can update the module through the PrestaShop administration panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-6921 is a critical SQL Injection vulnerability affecting PrestaShop Google Integrator versions 0.0 - 2.1.4, allowing attackers to extract and modify data through cookie manipulation.
If you are using PrestaShop Google Integrator version 0.0 - 2.1.4, you are vulnerable. Upgrade to version 2.1.4 or later to mitigate the risk.
Upgrade the PrestaShop Google Integrator plugin to version 2.1.4 or later. If immediate upgrade is not possible, implement WAF rules to filter malicious SQL commands.
While no active exploitation campaigns have been definitively confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the PrestaShop security advisory for detailed information and updates: [https://security.prestashop.com/](https://security.prestashop.com/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.