CVE-2023-40922 in kerawen Moduleinfo

Summary

by MITRE • 11/05/2023

kerawen before v2.5.1 was discovered to contain a SQL injection vulnerability via the ocs_id_cart parameter at KerawenDeliveryModuleFrontController::initContent().

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 01/30/2026

The vulnerability identified as CVE-2023-40922 affects the kerawen e-commerce platform version prior to v2.5.1, specifically within the KerawenDeliveryModuleFrontController class where the ocs_id_cart parameter is processed. This represents a critical security flaw that allows malicious actors to manipulate database queries through improper input validation. The vulnerability resides in the front-end controller implementation where user-supplied parameters are directly incorporated into SQL statements without adequate sanitization or parameterization measures.

The technical nature of this vulnerability classifies it as a SQL injection flaw under CWE-89, which occurs when application code incorporates untrusted data into SQL queries without proper validation or escaping mechanisms. The ocs_id_cart parameter serves as the attack vector where an attacker can inject malicious SQL payloads that bypass normal input validation checks. When the KerawenDeliveryModuleFrontController processes this parameter, it fails to properly sanitize or escape the input before incorporating it into database queries, creating an exploitable condition that could allow unauthorized database access.

The operational impact of this vulnerability extends beyond simple data theft, as it could enable attackers to perform unauthorized database operations including data extraction, modification, or deletion. An attacker could potentially escalate privileges, access sensitive customer information, manipulate order processing, or even gain persistence within the system through database-level attacks. The vulnerability affects the core delivery module functionality, potentially disrupting normal business operations while providing attackers with a pathway to compromise the entire e-commerce platform infrastructure.

Mitigation strategies should focus on immediate patching of the kerawen platform to version 2.5.1 or later where the SQL injection vulnerability has been addressed. Additionally, implementing proper input validation and parameterized queries for all user-supplied parameters is essential. The system should employ prepared statements or parameterized queries to ensure that user input cannot alter the structure of SQL commands. Security monitoring should be enhanced to detect unusual database access patterns, and input filtering should be implemented at multiple layers including application-level validation, web application firewalls, and database-level access controls. Organizations should also conduct comprehensive security assessments of their e-commerce platforms to identify similar vulnerabilities in other modules or components that may be susceptible to the same class of attack patterns.

Reservation

08/22/2023

Disclosure

11/05/2023

Moderation

accepted

CPE

ready

EPSS

0.00504

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!