CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier

Vulnerability

Analysis

An error-based SQL injection (SQLi) vulnerability exists in CoreShop versions prior to 4.1.9, specifically within the CustomerTransformerController of the admin panel [1][2]. The affected endpoint /admin/coreshop/customer-company-modifier/duplication-name-check accepts a value parameter that is directly interpolated into a sprintf statement: sprintf('name LIKE "%%%s%%"', (string) $value) [2]. This lack of parameterization or escaping allows an attacker to break out of the string context and inject arbitrary SQL commands.

Attack

Vector

The vulnerability is exploitable by any authenticated admin user; default credentials (admin/coreshop) are often used in demonstration environments, making exploitation straightforward if passwords are not changed [2]. By sending a crafted request to the duplication-name-check endpoint with a malicious value parameter (e.g., containing a double-quote character), an attacker can trigger SQL syntax errors. These errors confirm the injection point and can be leveraged to extract database content from the database through the error messages themselves.

Impact

An authenticated attacker exploiting this flaw can read sensitive database information, potentially data from the underlying database by observing error-based responses [1][2]. The vulnerability is classified as MEDIUM severity due to the need for admin authentication, but the exposure of customer information, order details, or other business data from the Pimcore-backed eCommerce platform could have serious privacy and compliance repercussions [2].

Remediation

The CoreShop project released version 4.1.9, which addresses the issue by fixing the vulnerable endpoint [3][4]. Users are strongly advised to update immediately. No workarounds have been published; however, restricting access to the admin panel and enforcing strong authentication policies can reduce exposure pending the update [1][2].