In the module “Opart Faq” (opartfaq) up to version 1.0.3 from Opart for PrestaShop, a guest can perform SQL injection in affected versions.


  • CVE ID: CVE-2023-34576
  • Published at: 2023-09-19
  • Platform: PrestaShop
  • Product: opartfaq
  • Impacted release: <= 1.0.3 (1.0.4 fixed the vulnerability - WARNING : NO SEMVER VERSIONNING BEFORE 2018 - SEE NOTE BELOW)
  • Product author: Opart
  • Weakness: CWE-89
  • Severity: critical (9.8)


The ajax script updatepos.php has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

Note : We didn’t do semver versionning before 2018 - so consider all versions which matched this pattern : XX-XX-XX to be updated without delay.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Obtain admin access
  • Remove data from the associated PrestaShop
  • Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
  • Rewrite SMTP settings to hijack emails

Patch from 1.0.3

--- 1.0.3/modules/opartfaq/updatepost.php
+++ 1.0.4/modules/opartfaq/updatepost.php
	Db::getInstance()->update('opartfaq_questions_products', array(
-			'position' => $value
+			'position' => (int) $value
-	),'id_product='.$_POST['opartFaqIdProductPos'].' AND id_opartfaq_questions='.$key);
+	),'id_product='. (int) $_POST['opartFaqIdProductPos'].' AND id_opartfaq_questions='. (int) $key);

Other recommendations

  • It’s recommended to upgrade to the latest version of the module opartfaq.
  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality WILL NOT protect your SHOP against injection SQL which uses the UNION clause to steal data.
  • Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.


Date Action
2023-05-24 Issue discovered during a code review by
2023-05-24 Contact Author to confirm version scope
2023-05-24 Author confirms versions scope
2023-05-24 Request CVE ID
2023-09-05 Received CVE ID
2023-09-19 Publish this security advisory

Opart thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.