CVE-2023-39652 in tvcmsvideotab
Summary
by MITRE • 08/29/2023
theme volty tvcmsvideotab up to v4.0.0 was discovered to contain a SQL injection vulnerability via the component TvcmsVideoTabConfirmDeleteModuleFrontController::run().
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability identified as CVE-2023-39652 resides within the theme volty tvcmsvideotab module for PrestaShop, specifically affecting versions up to v4.0.0. This issue manifests as a SQL injection vulnerability within the TvcmsVideoTabConfirmDeleteModuleFrontController::run() component, representing a critical security weakness that could allow unauthorized access to the underlying database system. The vulnerability occurs when user input is not properly sanitized before being incorporated into SQL queries, creating an attack vector that adversaries can exploit to manipulate database operations.
The technical flaw stems from inadequate input validation and sanitization practices within the module's front controller implementation. When the ConfirmDeleteModuleFrontController processes user requests, it fails to properly escape or parameterize input parameters before incorporating them into SQL execution statements. This weakness directly maps to CWE-89 which categorizes SQL injection vulnerabilities as a result of improper input handling in database queries. The vulnerability allows attackers to inject malicious SQL code through the application's interface, potentially enabling them to extract sensitive data, modify database contents, or even execute administrative commands on the database server.
The operational impact of this vulnerability extends beyond simple data compromise, as it provides attackers with potential access to critical customer information, payment details, and system configuration data stored within the PrestaShop database. Given that this affects a popular theme module used in e-commerce environments, the attack surface is significant, potentially impacting numerous online stores and their customers. The vulnerability could enable attackers to perform unauthorized data manipulation, escalate privileges within the database, or even gain persistence within the affected systems. This type of vulnerability aligns with ATT&CK technique T1071.005 which covers application layer protocol manipulation, specifically targeting web application interfaces for database access.
Mitigation strategies for CVE-2023-39652 should prioritize immediate patching of the affected theme module to version 4.0.1 or later, which contains the necessary security fixes. Organizations should implement proper input validation and parameterized queries throughout their application codebase to prevent similar vulnerabilities from occurring in other components. Additionally, network segmentation and database access controls should be reviewed to limit potential damage from successful exploitation attempts. Regular security audits and code reviews should be conducted to identify and remediate similar input validation issues across all application components, ensuring compliance with security best practices outlined in industry standards such as OWASP Top Ten and NIST cybersecurity frameworks.