CVE-2023-27637
published 2023-03-22CVE-2023-27637: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.30%
87.0th percentile
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised product_id GET parameter in order to exploit an insecure parameter in the front controller file designer.php, which could lead to a SQL injection. This is exploited in the wild in March 2023.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tshirtecommerce | custom_product_designer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect time-based SQL injection attempts against the tshirtecommerce designer endpoint by monitoring for requests to /module/tshirtecommerce/designer with SQL keywords (e.g., SELECT, SLEEP) in the parent_id or product_id GET parameters. ↗
- →A successful exploitation response contains the string 'product not found' in the body with HTTP 200 status and a response duration >= 8 seconds (due to SLEEP(8) payload), indicating blind time-based SQLi. ↗
- →Fingerprint vulnerable PrestaShop installations by searching for pages containing both 'Prestashop' and 'tshirtecommerce' in the response body (FOFA query: body="Prestashop" && body="tshirtecommerce"). ↗
- →The vulnerability is unauthenticated (PR:N) and exploitable remotely (AV:N), so no session cookie or authentication token is required to trigger the SQL injection via the designer endpoint. ↗
- ·The Nuclei template uses a 30-second timeout to accommodate the SLEEP(8) time-based payload; detection rules should account for delayed responses rather than relying solely on immediate response anomalies. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c9qp-jr36-5vxw: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2
ghsa_unreviewed·2023-03-22
CVE-2023-27637 [CRITICAL] CWE-89 GHSA-c9qp-jr36-5vxw: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised product_id GET parameter in order to exploit an insecure parameter in the front controller file designer.php, which could lead to a SQL injection. This is exploited in the wild in March 2023.
VulnCheck
tshirtecommerce custom_product_designer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-27637 [CRITICAL] tshirtecommerce custom_product_designer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
tshirtecommerce custom_product_designer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised product_id GET parameter in order to exploit an insecure parameter in the front controller file designer.php, which could lead to a SQL injection. This is exploited in the wild in March 2023.
Affected: tshirtecommerce custom_product_designer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://security.friendsofpresta.org/module/2023/03/21/tshirtecommerce_cwe-89.html; https:
No detection rules found.
Nuclei
PrestaShop `tshirtecommerce` Module - SQL Injection
nuclei·CVSS 9.8
CVE-2023-27637 [CRITICAL] PrestaShop `tshirtecommerce` Module - SQL Injection
PrestaShop `tshirtecommerce` Module - SQL Injection
The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the designer endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database.
Template:
id: CVE-2023-27637
info:
name: PrestaShop `tshirtecommerce` Module - SQL Injection
author: ritikchaddha
severity: critical
description: |
The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the designer endpoint, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database.
impact: |
Unauthenticated attackers can execute time-based SQL injection through the parent_id parameter in the designer endpoint to extract the complete
No writeups or analysis indexed.
https://codecanyon.net/item/prestashop-custom-product-designer/19202018https://friends-of-presta.github.io/security-advisories/module/2023/03/21/tshirtecommerce_cwe-89.htmlhttps://tshirtecommerce.com/https://codecanyon.net/item/prestashop-custom-product-designer/19202018https://friends-of-presta.github.io/security-advisories/module/2023/03/21/tshirtecommerce_cwe-89.htmlhttps://tshirtecommerce.com/
2023-03-22
Published
Exploited in the wild