CVE-2023-26861

An attacker can exploit this vulnerability by sending a crafted request to the `fail.php`, `success.php`, or `webhook.php` controllers within the vivawallet module. The vulnerability lies in the handling of the `s` GET parameter, which is directly incorporated into SQL queries without adequate sanitization. This allows an attacker to manipulate the query to gain unauthorized access or modify data [ref_id=1]. The attack can be performed remotely and requires no user interaction [ref_id=1].

The vulnerability exists in the `fail.php` and `success.php` files within the `vivawallet` module. Specifically, the code responsible for processing the `s` GET parameter and constructing SQL queries is affected. The patch modifies these files to implement proper SQL parameter sanitization [ref_id=1].

The patch replaces the use of `stripslashes()` with `pSQL()` for the `OrderCode` parameter in `fail.php` and `success.php`. The `pSQL()` function is designed to properly escape SQL queries, preventing malicious SQL code from being injected. This change ensures that user-supplied data is treated as literal values rather than executable SQL commands, thereby closing the SQL injection vulnerability [ref_id=1].