Moderate severityNVD Advisory· Published Nov 9, 2023· Updated Sep 4, 2024

Any value can be changed in the configuration table by an employee having access to block reassurance module

CVE-2023-47110

Description

PrestaShop blockreassurance module ≤5.1.3 allows authenticated attackers to modify any configuration value via an unprotected AJAX function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PrestaShop blockreassurance module ≤5.1.3 allows authenticated attackers to modify any configuration value via an unprotected AJAX function.

Vulnerability

The PrestaShop blockreassurance module (versions prior to 5.1.4) contains an authorization bypass vulnerability in its AJAX handler. The function displayAjaxSavePositionByHook() directly updated the configuration table after only checking that the supplied hook name was non-empty and the value was one of three predefined position constants [2]. This insufficient validation allowed an attacker to pass arbitrary configuration keys and values, enabling modification of any setting stored in PrestaShop's configuration table [3].

Exploitation

An attacker must have back-office employee-level access to the PrestaShop administration panel and must be able to reach the vulnerable AJAX endpoint. No additional privileges are required beyond the ability to use the blockreassurance module [3]. The patch, introduced in version 5.1.4, adds two new methods — isAuthorizedHookConfigurationKey() and isAuthorizedPositionValue() — that restrict updates to only the four allowed hook names and the three allowed position values [2].

Impact

Successful exploitation allows an attacker to modify arbitrary configuration values, including settings that affect store functionality, security behavior, or user data. The integrity of the entire PrestaShop installation can be compromised, potentially leading to further attacks, data disclosure, or service disruption [3]. No confidentiality or availability impact is explicitly described, but configuration tampering can indirectly affect those aspects.

Mitigation

All users are strongly advised to update the blockreassurance module to version 5.1.4 or later, which contains the validation fix [1][3]. No known workarounds have been published; the only reliable mitigation is applying the security patch.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
prestashop/blockreassurancePackagist	< 5.1.4	5.1.4

Affected products

ghsa-coords
pkg:composer/prestashop/blockreassurance
Range: < 5.1.4
Prestashop/blockreassurancecpe-rescue
Range: <= 5.1.3

Patches

0a74bf1ebb90

check configuration keys and values before applying update

https://github.com/PrestaShop/blockreassurancematthieu.rollandMay 2, 2023via ghsa

commit

2 files changed · +36 −6

blockreassurance.php+5 −0 modified

@@ -41,6 +41,11 @@ class blockreassurance extends Module implements WidgetInterface
     const POSITION_BELOW_HEADER = 1;
     const POSITION_ABOVE_HEADER = 2;
 
+    const PSR_HOOK_HEADER = 'PSR_HOOK_HEADER';
+    const PSR_HOOK_FOOTER = 'PSR_HOOK_FOOTER';
+    const PSR_HOOK_PRODUCT = 'PSR_HOOK_PRODUCT';
+    const PSR_HOOK_CHECKOUT = 'PSR_HOOK_CHECKOUT';
+
     /** @var string */
     public $name;
     /** @var string */

controllers/admin/AdminBlockListingController.php+31 −6 modified

@@ -100,12 +100,7 @@ public function displayAjaxSavePositionByHook()
         $value = Tools::getValue('value');
         $result = false;
 
-        if (!empty($hook) && in_array($value, [
-                blockreassurance::POSITION_NONE,
-                blockreassurance::POSITION_BELOW_HEADER,
-                blockreassurance::POSITION_ABOVE_HEADER,
-            ])
-        ) {
+        if ($this->isAuthorizedHookConfigurationKey($hook) && $this->isAuthorizedPositionValue($value)) {
             $result = Configuration::updateValue($hook, $value);
         }
 
@@ -249,4 +244,34 @@ public function displayAjaxUpdatePosition()
         // Response
         $this->ajaxRenderJson($result ? 'success' : 'error');
     }
+
+    /**
+     * @param $hook
+     * @return bool
+     */
+    private function isAuthorizedHookConfigurationKey($hook)
+    {
+        return (
+            !empty($hook) &&
+            in_array($hook, [
+                blockreassurance::PSR_HOOK_HEADER,
+                blockreassurance::PSR_HOOK_FOOTER,
+                blockreassurance::PSR_HOOK_PRODUCT,
+                blockreassurance::PSR_HOOK_CHECKOUT,
+            ], true)
+        );
+    }
+
+    /**
+     * @param $value
+     * @return bool
+     */
+    private function isAuthorizedPositionValue($value)
+    {
+        return in_array((int) $value, [
+            blockreassurance::POSITION_NONE,
+            blockreassurance::POSITION_BELOW_HEADER,
+            blockreassurance::POSITION_ABOVE_HEADER,
+        ], true);
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xfm3-hjcc-gv78ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-47110ghsaADVISORY
github.com/PrestaShop/blockreassurance/commit/0a74bf1ebb907eef39e235a3a6dca0c28ed3ad23ghsaWEB
github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4ghsaWEB
github.com/PrestaShop/blockreassurance/security/advisories/GHSA-xfm3-hjcc-gv78ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000