CVE-2023-39648
Description
Improper neutralization of SQL parameter in Theme Volty CMS Testimonial module for PrestaShop. In the module “Theme Volty CMS Testimonial” (tvcmstestimonial) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Theme Volty/CMS Testimonialdescription
- Range: <=4.0.1
Patches
Vulnerability mechanics
Root cause
"The module improperly neutralizes SQL parameters, allowing for SQL injection."
Attack vector
An unauthenticated guest can perform a SQL injection attack by sending a crafted HTTP request to the `ajax.php` script within the Theme Volty CMS Testimonial module. This script contains sensitive SQL calls that are vulnerable to exploitation. The attack requires no user interaction and can be performed over the network with low complexity [ref_id=1].
Affected code
The vulnerability exists in the `ajax.php` file of the Theme Volty CMS Testimonial module. Specifically, the SQL queries that update the `position` and `id_tvcmstestimonial` fields are affected. The patch modifies these queries in version 4.0.2 to include integer casting for the relevant variables [ref_id=1].
What the fix does
The patch in version 4.0.2 addresses the SQL injection vulnerability by casting the `$pos` and `$value` variables to integers before they are used in the SQL queries. This type casting ensures that only integer values are inserted into the SQL statements, preventing the injection of malicious SQL code [ref_id=1].
Preconditions
- authThe attacker does not require any authentication (guest user).
- networkThe attack can be performed over the network.
- inputThe attack involves sending a crafted HTTP call.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.