CVE-2023-6921 - Vulnerability Details - OpenCVE

Blind SQL Injection vulnerability in PrestaShow Google Integrator (PrestaShop addon) allows for data extraction and modification. This attack is possible via command insertion in one of the cookies.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Prestashow	Google Integrator

Configuration 1 [-]

cpe:2.3:a:prestashow:google_integrator:*:*:*:*:*:prestashop:*:*

No data.

References

Link	Providers
https://cert.pl/en/posts/2024/01/CVE-2023-6921/
https://cert.pl/posts/2024/01/CVE-2023-6921/
https://prestashow.pl/pl/moduly-prestashop/28-prestashop-google-integrator-ga4-gtm-ads-remarketing.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2024-01-08T11:34:19.799Z

Updated: 2024-08-02T08:42:08.657Z

Reserved: 2023-12-18T15:08:09.463Z

Link: CVE-2023-6921

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-08T12:15:46.513

Modified: 2024-11-21T08:44:50.407

Link: CVE-2023-6921

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6921", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2023-12-18T15:08:09.463Z", "datePublished": "2024-01-08T11:34:19.799Z", "dateUpdated": "2024-08-02T08:42:08.657Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PrestaShop Google Integrator", "vendor": "PrestaShow", "versions": [{"lessThan": "2.1.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Piotr Zdunek"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Blind SQL Injection vulnerability in PrestaShow Google Integrator (PrestaShop addon) allows for data extraction and modification. This attack is possible via command insertion in one of the cookies.<br>"}], "value": "Blind SQL Injection vulnerability in PrestaShow Google Integrator (PrestaShop addon) allows for data extraction and modification. This attack is possible via command insertion in one of the cookies.\n"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7 Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-01-08T11:34:19.799Z"}, "references": [{"tags": ["product"], "url": "https://prestashow.pl/pl/moduly-prestashop/28-prestashop-google-integrator-ga4-gtm-ads-remarketing.html"}, {"url": "https://cert.pl/en/posts/2024/01/CVE-2023-6921/"}, {"url": "https://cert.pl/posts/2024/01/CVE-2023-6921/"}], "source": {"discovery": "UNKNOWN"}, "title": "SQL Injection in PrestaShop Google Integrator", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:42:08.657Z"}, "title": "CVE Program Container", "references": [{"tags": ["product", "x_transferred"], "url": "https://prestashow.pl/pl/moduly-prestashop/28-prestashop-google-integrator-ga4-gtm-ads-remarketing.html"}, {"url": "https://cert.pl/en/posts/2024/01/CVE-2023-6921/", "tags": ["x_transferred"]}, {"url": "https://cert.pl/posts/2024/01/CVE-2023-6921/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashow:google_integrator:*:*:*:*:*:prestashop:*:*", "matchCriteriaId": "6C4DFC6A-D90C-4E43-980E-2404E45E7983", "versionEndExcluding": "2.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Blind SQL Injection vulnerability in PrestaShow Google Integrator (PrestaShop addon) allows for data extraction and modification. This attack is possible via command insertion in one of the cookies.\n"}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL ciega en PrestaShow Google Integrator (complemento PrestaShop) permite la extracci\u00f3n y modificaci\u00f3n de datos. Este ataque es posible mediante la inserci\u00f3n de un comando en una de las cookies."}], "id": "CVE-2023-6921", "lastModified": "2024-11-21T08:44:50.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cvd@cert.pl", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-08T12:15:46.513", "references": [{"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-6921/"}, {"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/01/CVE-2023-6921/"}, {"source": "cvd@cert.pl", "tags": ["Product"], "url": "https://prestashow.pl/pl/moduly-prestashop/28-prestashop-google-integrator-ga4-gtm-ads-remarketing.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-6921/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/01/CVE-2023-6921/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://prestashow.pl/pl/moduly-prestashop/28-prestashop-google-integrator-ga4-gtm-ads-remarketing.html"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cvd@cert.pl", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}