CVE-2023-39652

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the `TvcmsVideoTabConfirmDeleteModuleFrontController::run()` endpoint. The request can include malicious SQL code within the `id` or `id_lang` parameters. This allows the attacker to inject arbitrary SQL queries into the application's database. The vulnerability is present in versions up to 4.0.0 of the tvcmsvideotab module [ref_id=1].

The vulnerability resides in the `TvcmsVideoTabConfirmDeleteModuleFrontController::run()` method within the `confirmdelete.php` file. Specifically, the lines where `Tools::getValue('id')` and `Tools::getValue('id_lang')` are retrieved are affected [ref_id=1].

The patch addresses the SQL injection vulnerability by ensuring that the `id` and `id_lang` parameters are properly cast to integers before being used in SQL queries. This type casting prevents malicious SQL code from being interpreted as part of the query, thereby mitigating the risk of SQL injection. The fix is implemented in version 4.0.1 of the module [ref_id=1].