CVE-2023-27568

Vulnerability

An SQL injection vulnerability exists in the orderSearchForm[searchText] parameter of the order history search form in Spryker Commerce OS. The flaw is present in the spryker/sales package versions 11.16.0 through 11.36.1 and in the spryker-feature/order-management feature versions 202009.0 through 202212.0 [1]. It allows an attacker to inject arbitrary SQL commands into the query used to fetch order records.

Exploitation

An attacker must have valid credentials for the Spryker-based webshop (i.e., they must be an authenticated user). With access to the order history page, the attacker crafts a malicious payload in the searchText field of the order search form. The input is not properly sanitized, enabling the injection of SQL statements into the underlying database query [1].

Impact

Successful exploitation grants the attacker unrestricted read access to the application's database. This can expose sensitive data such as customer personally identifiable information (PII), order details, and administrator login credentials (usernames and password hashes). Depending on the database configuration, the attacker may also be able to write files to the file system or execute arbitrary commands on the database management system, potentially leading to full system compromise [1][3].

Mitigation

As of the publication of the advisory on 20 April 2023, no official patch version was announced in the available references. The vendor, Spryker Systems GmbH, was notified and a fix was expected. Users should monitor for updates from the vendor and apply input validation or Web Application Firewall rules as a temporary workaround [1].