Vulnerability Details CVE-2023-46357
In the module "Cross Selling in Modal Cart" (motivationsale) < 3.5.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `motivationsaleDataModel::getProductsByIds()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 23.7%
CVSS Severity
CVSS v3 Score 9.8
References
- https://addons.prestashop.com/fr/ventes-croisees-packs-produits/16122-cross-selling-in-modal-cart.html
- https://security.friendsofpresta.org/modules/2023/11/21/motivationsale.html
- https://addons.prestashop.com/fr/ventes-croisees-packs-produits/16122-cross-selling-in-modal-cart.html
- https://security.friendsofpresta.org/modules/2023/11/21/motivationsale.html
Products affected by CVE-2023-46357
-
cpe:2.3:a:myprestamodules:cross_selling_in_modal_cart:-