CVE-2023-39651
Description
Improper neutralization of SQL parameter in Theme Volty CMS BrandList module for PrestaShop In the module “Theme Volty CMS BrandList” (tvcmsbrandlist) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Theme Volty/CMS BrandListdescription
- Range: <=4.0.1
Patches
Vulnerability mechanics
Root cause
"Improper neutralization of SQL parameters in the Theme Volty CMS BrandList module allows for SQL injection."
Attack vector
A guest user can perform a SQL injection attack by sending a crafted HTTP request to the `ajax.php` script within the "Theme Volty CMS BrandList" module. This script contains sensitive SQL calls that are vulnerable to exploitation. The attack requires no user interaction and can be performed over the network with low complexity [ref_id=1].
Affected code
The vulnerability exists in the `ajax.php` file of the "Theme Volty CMS BrandList" module. Specifically, the SQL queries that update the `position` and `id_tvcmsbrandlist` in the `ps_tvcmsbrandlist` table are affected. The patch modifies these queries in version 4.0.2 to properly sanitize the input parameters [ref_id=1].
What the fix does
The patch updates the `ajax.php` file by casting the `$pos` and `$value` variables to integers using the `(int)` type-cast operator. This ensures that only integer values are used in the SQL query, preventing the injection of malicious SQL code and mitigating the SQL injection vulnerability [ref_id=1].
Preconditions
- inputThe attacker needs to send a specially crafted HTTP request to the `ajax.php` script.
- authThe attacker does not require any privileges (guest user).
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.