CVE-2023-36263
Description
Opart limit quantity PrestaShop module ≤1.4.5 allows unauthenticated SQL injection via a front controller, leading to full compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Opart limit quantity PrestaShop module ≤1.4.5 allows unauthenticated SQL injection via a front controller, leading to full compromise.
Vulnerability
The PrestaShop module opartlimitquantity version 1.4.5 and earlier contains a SQL injection vulnerability in the OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage() method. This method constructs SQL queries using unsanitized user input, specifically the $id_product parameter, which is concatenated directly into a Db::getInstance()->getRow() call. The vulnerable code path is reachable without authentication or special configuration, as the controller is a front-facing endpoint. The fixed version is 1.4.6, which wraps the query parameter with (int) casting or prepared statements [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP POST request to the module's front controller. The attacker does not need any prior access or user interaction. The exploit requires network access to the PrestaShop instance. By injecting SQL syntax into the id_product parameter (e.g., via the product ID passed to the endpoint), the attacker can manipulate the query to extract or modify database content. Because the controller path can be concealed, typical frontend logs may only show POST / entries, making detection difficult without deeper audit logging [1].
Impact
Successful exploitation allows an attacker to perform arbitrary SQL commands against the PrestaShop database. This can lead to full administrative access (e.g., by retrieving admin credentials or session tokens), data exfiltration of customer or order information, data destruction, modification of sensitive configuration (such as SMTP settings to redirect email), and further server-side compromise. The CVSS score is 9.8 (Critical) with network attack vector, low complexity, and no privileges required [1].
Mitigation
The vulnerability is fixed in version 1.4.6 of the opartlimitquantity module, released on 2023-10-25. Users must upgrade to this version immediately. If upgrading is not possible, temporary workarounds include disabling the module or implementing a web application firewall (e.g., mod_security) with rules to detect SQL injection attempts. There is no evidence the CVE is listed on the CISA KEV catalog as of this writing [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Prestashop/opartlimitquantitydescription
- Range: <=1.4.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The method `displayAjaxPushAlertMessage` in the Opart limit quantity module improperly neutralizes SQL parameters, allowing for SQL injection."
Attack vector
An unauthenticated guest can exploit this vulnerability by sending a crafted HTTP request to the `displayAjaxPushAlertMessage` method. This method is part of the `OpartlimitquantityAlertlimitModuleFrontController` and is accessible via a front controller. The attacker can forge a SQL injection by manipulating parameters within this trivial HTTP call, leading to unauthorized data access or modification [ref_id=1].
Affected code
The vulnerability resides in the `displayAjaxPushAlertMessage` method within the `OpartlimitquantityAlertlimitModuleFrontController` class, located in the file `modules/opartlimitquantity/controllers/front/alertlimit.php`. The specific lines of code affected are those that construct SQL queries using user-supplied input without proper sanitization [ref_id=1].
What the fix does
The patch in version 1.4.6 addresses the SQL injection vulnerability by properly casting the `id_product` parameter to an integer before it is used in the SQL query. In the original code, the `id_product` was directly concatenated into the SQL string, making it vulnerable to injection. By casting it to an integer using `(int)$id_product`, the module now sanitizes the input, preventing malicious SQL code from being executed [ref_id=1].
Preconditions
- inputThe `id_product` parameter is not properly sanitized before being used in a SQL query.
- authNo authentication is required to exploit this vulnerability, allowing any guest user to perform the attack.
- networkThe vulnerability is exploitable over the network via HTTP requests.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- security.friendsofpresta.org/modules/2023/10/25/opartlimitquantity.htmlnvdPatchThird Party Advisory
News mentions
0No linked articles in our index yet.