CVE-2023-46347
published 2023-10-25CVE-2023-46347: In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
49.89%
98.8th percentile
In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The method `NdkSpack::getPacks()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ndkdesign | ndk_steppingpack | < 1.5.7 | 1.5.7 |
Detection & IOCsextracted from sources · hover to see the quote
commandsearch_query=1%22%29;select+0x73656c65637420736c6565702836293b+into+@a;prepare+b+from+@a;execute+b;--↗
- →Monitor POST requests to /modules/ndk_steppingpack/search-result.php for SQL injection patterns in the search_query parameter, including stacked queries, UNION-based payloads, and time-delay constructs (e.g., SLEEP()). ↗
- →Time-based detection: a response duration >= 6 seconds to the endpoint with a stacked-query sleep payload is a strong indicator of successful exploitation. ↗
- →Union-based detection: look for the MD5 hash of a known numeric canary value (e.g., md5(999999999)) reflected in the HTTP response body. ↗
- →The vulnerable method is NdkSpack::getPacks(); trace SQL calls originating from this method in application-level logging. ↗
- →Shodan fingerprint for exposed attack surface: search for http.component:"prestashop" to identify potentially vulnerable PrestaShop instances. ↗
- →No authentication is required; the injection is exploitable by unauthenticated (guest) users via a single HTTP POST request. ↗
- ·Affected versions are ndk_steppingpack 1.5.6 and earlier; version 1.5.7+ is patched. Ensure version checks are scoped accordingly. ↗
- ·The Nuclei template uses a 15-second HTTP timeout per request to accommodate the time-based sleep payload; detection tooling should be configured with a matching or longer timeout to avoid false negatives. ↗
- ·The template uses stop-at-first-match with two sequential payloads (time-based first, then union-based); a WAF or rate-limiter blocking the first request may prevent the union-based check from running. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8v8r-33p8-hh47: In the module "Step by Step products Pack" (ndk_steppingpack) version 1
ghsa_unreviewed·2023-10-25
CVE-2023-46347 [CRITICAL] CWE-89 GHSA-8v8r-33p8-hh47: In the module "Step by Step products Pack" (ndk_steppingpack) version 1
In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The method `NdkSpack::getPacks()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
VulnCheck
ndkdesign ndk_steppingpack Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-46347 [CRITICAL] ndkdesign ndk_steppingpack Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ndkdesign ndk_steppingpack Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
In the module "Step by Step products Pack" (ndk_steppingpack) version 1.5.6 and before from NDK Design for PrestaShop, a guest can perform SQL injection. The method `NdkSpack::getPacks()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
Affected: ndkdesign ndk_steppingpack
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-06-19&host_type=src&vulnerability=cve-2023-46347; https://dashboard.shadowserver.org/
No detection rules found.
Nuclei
PrestaShop Step by Step products Pack - SQL Injection
nuclei·CVSS 9.8
CVE-2023-46347 [CRITICAL] PrestaShop Step by Step products Pack - SQL Injection
PrestaShop Step by Step products Pack - SQL Injection
In the module “Step by Step products Pack” (ndk_steppingpack) up to 1.5.6 from NDK Design for PrestaShop, a guest can perform SQL injection in affected versions.
Template:
id: CVE-2023-46347
info:
name: PrestaShop Step by Step products Pack - SQL Injection
author: MaStErChO
severity: critical
description: |
In the module “Step by Step products Pack” (ndk_steppingpack) up to 1.5.6 from NDK Design for PrestaShop, a guest can perform SQL injection in affected versions.
impact: |
Unauthenticated attackers can execute arbitrary SQL queries, potentially extracting sensitive database information including user credentials and payment data.
remediation: |
Update the Step by Step products Pack (ndk_steppingpack) module to version 1.5.7 or la
No writeups or analysis indexed.
2023-10-25
Published
Exploited in the wild