CVE-2023-43986: 
NixOS vulnerability analysis and mitigation

DM Concept configurator before v4.9.4 contains a SQL injection vulnerability in the ConfiguratorAttachment::getAttachmentByToken component. The vulnerability, identified as CVE-2023-43986, was discovered on July 20, 2023, and publicly disclosed on October 19, 2023. This critical vulnerability affects the PrestaShop e-commerce platform through the 'Advanced configurator for customized product' module versions up to 4.9.3 (FOP Advisory).

The vulnerability stems from improper neutralization of SQL parameters in the ConfiguratorAttachment::getAttachmentByToken method, which contains a sensitive SQL call that can be executed with a trivial HTTP request. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature. The weakness is classified as CWE-89 (SQL Injection) (NVD, FOP Advisory).

The vulnerability can be exploited to perform various malicious actions including obtaining admin access, removing data from the associated PrestaShop installation, exposing sensitive data including tokens, unlocking admin ajax scripts, and hijacking emails by rewriting SMTP settings. Most critically, this exploit is actively being used to deploy webskimmers for mass credit card theft (FOP Advisory).

The vulnerability has been patched in version 4.9.4 by implementing proper SQL parameter sanitization using pSQL function. Users are strongly recommended to upgrade to the latest version. Additional security recommendations include changing the default database prefix 'ps_' to a longer arbitrary prefix, activating OWASP 942's rules on WAF (with necessary backoffice bypasses), and upgrading PrestaShop to the latest version to disable multiquery executions (FOP Advisory).