CVE-2023-39645

An unauthenticated guest can exploit this vulnerability by sending a crafted HTTP request to the `ajax.php` script within the module. This script contains sensitive SQL calls that are vulnerable to injection. The attacker can manipulate parameters to execute arbitrary SQL commands, potentially leading to data theft or modification. The attack vector is network-based with low complexity and requires no user interaction or privileges [ref_id=1].

The vulnerability resides in the `ajax.php` file of the "Theme Volty CMS Payment Icon" module (tvcmspaymenticon). Specifically, the SQL queries that update the `position` and `id_tvcmspaymenticon` fields in the `ps_tvcmspaymenticon` table are affected. The patch modifies these lines in `ajax.php` to include integer casting for the relevant variables [ref_id=1].

The patch in version 4.0.2 addresses the SQL injection vulnerability by casting the `$pos` and `$value` variables to integers using `(int)`. This type casting ensures that only integer values are used in the SQL queries, preventing the injection of malicious SQL code. By sanitizing these inputs, the module properly neutralizes potentially harmful parameters before they are used in database operations [ref_id=1].