CVE-2023-34575
Description
SQL injection in PrestaShop opartsavecart module <=2.0.7 allows unauthenticated remote attackers to execute arbitrary SQL commands via two front controller methods.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in PrestaShop opartsavecart module <=2.0.7 allows unauthenticated remote attackers to execute arbitrary SQL commands via two front controller methods.
Vulnerability
The PrestaShop module "Opart Save Cart" (opartsavecart) up to version 2.0.7 contains an SQL injection vulnerability in the OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods [1]. These methods construct SQL queries using unsanitized user input from Tools::getValue(), such as the opartCartId parameter, directly concatenated into the query string [1]. Affected versions are those before 2.0.8 [1]. Guest users can trigger the vulnerable code paths without authentication [1].
Exploitation
An attacker needs only network access to the PrestaShop instance; no authentication or user interaction is required [1]. The exploit sends an HTTP request to the vulnerable front controller methods, injecting malicious SQL payloads via parameters like opartCartId [1]. The attack can be concealed because the module's controller path may be hidden, resulting in only a generic "POST /" entry in conventional frontend logs [1]. With tools like mod_security AuditEngine, the attack can be traced [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the database [1]. This can lead to obtaining admin access, removing data from the associated PrestaShop, copying sensitive data (e.g., tokens) to expose and hijack admin AJAX scripts, rewriting SMTP settings to hijack emails, and fully compromising confidentiality, integrity, and availability (CVSS v3.1 base score 9.8) [1].
Mitigation
The vulnerability is fixed in version 2.0.8 of the opartsavecart module [1]. Users should upgrade to this version immediately [1]. No workarounds are disclosed in the available reference [1]. The module is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- PrestaShop/opartsavecartdescription
- Range: <=2.0.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of SQL parameters in SQL queries allows for arbitrary SQL command execution."
Attack vector
An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the affected PrestaShop instance. The request targets methods within the OpartSaveCartDefaultModuleFrontController, such as initContent() and displayAjaxSendCartByEmail(). By manipulating parameters passed to these methods, an attacker can inject malicious SQL commands, leading to a SQL injection vulnerability [ref_id=1]. The attack can be concealed within conventional frontend logs, appearing as a simple POST request to the root of the site [ref_id=1].
Affected code
The vulnerability resides in the OpartSaveCart module for PrestaShop, specifically within the `OpartSaveCartDefaultModuleFrontController` class. The affected methods are `initContent()` and `displayAjaxSendCartByEmail()`, which contain SQL queries that are susceptible to injection [ref_id=1]. The patch modifies the `default.php` file in the `controllers/front/` directory.
What the fix does
The patch addresses the SQL injection vulnerability by properly casting the `idCart` and `idCustomer` variables to integers before they are used in the SQL query. In version 2.0.8, the SQL statement was modified from `DELETE FROM ". _DB_PREFIX_ ."opartsavecart WHERE id_cart=" . $idCart . " AND id_customer=" . $idCustomer;` to `DELETE FROM ". _DB_PREFIX_ ."opartsavecart WHERE id_cart=" . (int)$idCart . " AND id_customer=" . (int)$idCustomer;` [ref_id=1]. This type casting ensures that only integer values are used, preventing the injection of malicious SQL code.
Preconditions
- networkThe vulnerable PrestaShop instance must be accessible over the network.
- authNo authentication is required to exploit this vulnerability.
- inputThe attacker must be able to send crafted HTTP requests with manipulated parameters.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- security.friendsofpresta.org/modules/2023/09/19/opartsavecart.htmlnvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.