CVE-2023-39526: 
PHP vulnerability analysis and mitigation

PrestaShop, an open-source e-commerce web application, disclosed a critical vulnerability (CVE-2023-39526) affecting versions prior to 1.7.8.10, 8.0.5, and 8.1.1. The vulnerability enables remote code execution through SQL injection and arbitrary file write capabilities in the back office. The issue was discovered and reported by Truff through the YesWeHack platform (PrestaShop Advisory).

The vulnerability received a Critical CVSS v3.1 base score of 9.1, with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. The flaw specifically involves an SQL manager vulnerability that could allow any back-office user to write, update, or delete SQL databases, regardless of their permissions. The vulnerability is classified under CWE-89 (SQL Injection) (NVD).

Successful exploitation of CVE-2023-39526 enables attackers to execute arbitrary instructions, potentially injecting fake payment forms on checkout pages to collect credit card information. The vulnerability affects nearly 300,000 online merchants worldwide, particularly impacting businesses in Europe and Latin America where PrestaShop is the leading e-commerce solution (Security Online).

PrestaShop has released security patches in versions 1.7.8.10, 8.0.5, and 8.1.1 to address this vulnerability. No alternative workarounds are available, making it crucial for users to upgrade to the patched versions (NVD).