Miggo Logo
Miggo Vulnerability Database
CVE-2023-43663

CVE-2023-43663: PrestaShop allows users to uninstall modules from backoffice, even with low rights

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-43663
GHSA ID
GHSA-6jmf-2pfc-q9m7
EPSS Score
0.2897%
CWE
CWE-269
Published
9/28/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/prestashopcomposer< 8.1.28.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient hook validation in the ajaxProcessSaveDashConfig method. The patch adds a allowlist (DASHBOARD_ALLOWED_HOOKS) to restrict executable hooks, and removes the generic Validate::isHookName check which previously permitted dangerous hooks. This function handles dashboard configuration updates and was accessible to low-privileged users without proper authorization checks for module management actions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny mo*ul* **n ** *is**l** or uninst*ll** *rom ***k o**i**, *v*n wit* low us*r ri**t. ### P*t***s *.*.* ### Work*roun*s non* ### R***r*n**s

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt *ook v*li**tion in t** *j*xPro**ssS*v***s**on*i* m*t*o*. T** p*t** ***s * *llowlist (**S**O*R*_*LLOW**_*OOKS) to r*stri*t *x**ut**l* *ooks, *n* r*mov*s t** **n*ri* V*li**t*::is*ookN*m* ****k w*i** pr*viously