CVE-2023-34576
Description
SQL injection in PrestaShop opartfaq module up to 1.0.3 allows unauthenticated remote attackers to execute arbitrary SQL commands via updatepos.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in PrestaShop opartfaq module up to 1.0.3 allows unauthenticated remote attackers to execute arbitrary SQL commands via updatepos.php.
Vulnerability
An SQL injection vulnerability exists in the updatepos.php script of the PrestaShop module "Opart Faq" (opartfaq) versions up to and including 1.0.3 [1]. The bug resides in an AJAX endpoint that performs a database update operation using unsanitized user-supplied parameters from $_POST['opartFaqIdProductPos'] and $key. The vulnerable call is Db::getInstance()->update('opartfaq_questions_products', array('position' => $value), 'id_product='.$_POST['opartFaqIdProductPos'].' AND id_opartfaq_questions='.$key); where both parameters are concatenated directly into the SQL query without type casting or parameterization [1]. This allows any guest visitor to trigger the injection with a trivial HTTP request [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication, special network position, or user interaction [1]. The attack vector is network, complexity is low, and no privileges are required [1]. To exploit, the attacker sends a crafted HTTP POST request to the updatepos.php endpoint with malicious values in opartFaqIdProductPos or $key parameters that break out of the intended SQL syntax and execute arbitrary SQL statements [1]. The simple addition of (int) type casting in the patch confirms that the original parameters were used unsanitized [1].
Impact
Successful exploitation grants the attacker the ability to run arbitrary SQL commands against the PrestaShop database [1]. This can lead to obtaining admin access, removing data, copying sensitive tables to expose tokens and unlock admin AJAX scripts, rewriting SMTP settings to hijack emails, and full compromise of confidentiality, integrity, and availability (CVSS 9.8 critical) [1]. The attacker can read, modify, or delete any data in the database, potentially taking over the entire PrestaShop instance [1].
Mitigation
The vulnerability is fixed in version 1.0.4 of the opartfaq module, released on 2018 (note: no semver versioning before 2018, so all previous versions should be updated) [1]. The fix casts $_POST['opartFaqIdProductPos'] and $key to integers using (int) before concatenation [1]. Users must upgrade to version 1.0.4 or later [1]. No workaround is described for unpatched installations; upgrading to the latest PrestaShop version is also recommended as it disables multiquery execution by default [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Prestashop/opartfaqdescription
- Range: <=1.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of SQL parameters in updatepos.php allows for SQL injection."
Attack vector
A remote attacker can exploit this vulnerability by sending a crafted HTTP request to the `updatepos.php` script. This script is part of the Opart Faq module for PrestaShop. The vulnerability allows for arbitrary SQL commands to be executed due to insufficient sanitization of input parameters, potentially leading to unauthorized access or data manipulation [ref_id=1].
Affected code
The vulnerability exists in the `updatepos.php` file within the `opartfaq` module for PrestaShop. Specifically, the SQL query that updates the `opartfaq_questions_products` table is susceptible to injection due to unsanitized POST parameters.
What the fix does
The patch addresses the SQL injection vulnerability by explicitly casting the input values for `position`, `opartFaqIdProductPos`, and `key` to integers. This type casting ensures that only numerical values are used in the SQL query, preventing the injection of malicious SQL code. The fix is applied to the `updatepos.php` file in version 1.0.4 of the Opart Faq module [ref_id=1].
Preconditions
- inputThe attacker needs to provide crafted input via HTTP POST request to the `updatepos.php` script.
- networkThe vulnerability is exploitable over the network.
- authNo authentication or privileges are required to exploit this vulnerability.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- security.friendsofpresta.org/modules/2023/09/19/opartfaq.htmlnvdPatchThird Party Advisory
News mentions
0No linked articles in our index yet.