CVE-2023-45376 in Carousels Pack Module
Summary
by MITRE • 10/25/2023
In the module "Carousels Pack - Instagram, Products, Brands, Supplier" (hicarouselspack) for PrestaShop up to version 1.5.0 from HiPresta for PrestaShop, a guest can perform SQL injection via HiCpProductGetter::getViewedProduct().`
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability CVE-2023-45376 affects the HiPresta Carousels Pack module for PrestaShop, specifically targeting versions up to 1.5.0. This module provides carousel functionality for displaying Instagram content, products, brands, and supplier information within PrestaShop e-commerce platforms. The flaw exists within the HiCpProductGetter::getViewedProduct() method which processes user input without proper sanitization, creating an avenue for malicious SQL injection attacks. The vulnerability is particularly concerning as it allows unauthenticated guests to exploit the system, eliminating the need for prior authentication or privileged access.
The technical implementation of this vulnerability stems from improper input validation within the module's product getter functionality. When a guest user accesses certain carousel components, the getViewedProduct() method processes parameters directly from HTTP requests without adequate sanitization or parameter binding. This creates a classic SQL injection vector where malicious input can be crafted to manipulate the underlying database queries. The vulnerability maps to CWE-89 which specifically addresses SQL injection flaws, and aligns with ATT&CK technique T1190 for exploiting vulnerabilities in web applications. Attackers can potentially extract sensitive data, modify database contents, or even escalate privileges within the affected system.
The operational impact of this vulnerability extends beyond simple data theft, as it represents a critical security weakness in e-commerce infrastructure. An attacker could leverage this vulnerability to access customer information, product catalogs, pricing data, and potentially financial records stored within the PrestaShop database. The unauthenticated nature of the attack means that any visitor to the website could exploit this weakness, making it particularly dangerous for public-facing e-commerce sites. The vulnerability affects not just the specific module but potentially the entire PrestaShop platform if proper input validation is not implemented at multiple layers. This weakness could also serve as a stepping stone for more sophisticated attacks, allowing threat actors to gain deeper access to the system.
Mitigation strategies should focus on immediate patching of the affected module to version 1.5.1 or later where the SQL injection vulnerability has been addressed. Organizations should also implement proper input validation and parameterized queries throughout their PrestaShop installations to prevent similar issues in other modules. Network-level protections including web application firewalls and intrusion detection systems can provide additional defense-in-depth measures. Regular security audits and vulnerability assessments should be conducted to identify and remediate similar issues across the entire e-commerce platform. The module developers should also implement proper access controls and input sanitization measures to prevent unauthorized data manipulation and ensure the integrity of database operations. Organizations should monitor their systems for any signs of exploitation attempts and maintain comprehensive logging to track potential security incidents related to this vulnerability.