CVE-2023-27032

Vulnerability

The PrestaShop AdvancedPopupCreator module by Idnovate, versions 1.1.21 to 1.1.24, contains a SQL injection vulnerability in the AdvancedPopup::getPopups() method. The vulnerability exists because the method directly incorporates $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'] into a SQL query without sanitization (the INSTR function call). The patch in version 1.1.25 wraps this concatenation with pSQL(), indicating the injection vector [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to any PrestaShop page that triggers the vulnerable method. Since the injection occurs through the HTTP_HOST and REQUEST_URI server variables, a remote attacker can manipulate these values (e.g., via a crafted Host header) without requiring authentication or user interaction. The attack complexity is low, and no special privileges are needed [1].

Impact

Successful exploitation allows an attacker to perform arbitrary SQL queries against the PrestaShop database. This can lead to complete compromise of the application: obtaining admin access, extracting sensitive data (e.g., customer information, credentials), deleting data, modifying SMTP settings to hijack emails, and potentially achieving remote code execution depending on the database privileges. The CVSS score is 9.8 (critical) with high impact on confidentiality, integrity, and availability [1].

Mitigation

Idnovate released version 1.1.25 of the AdvancedPopupCreator module on an unknown date, which fixes the vulnerability by sanitizing the input with pSQL() [1]. All users should update to version 1.1.25 or later immediately. If upgrading is not possible, the advisory recommends disabling the module as a workaround. The module is listed by Friends-Of-Presta as a known vulnerability; no CISA KEV listing is known at this time.