CVE-2023-30149

Name of the Vulnerable Software and Affected Versions PrestaShop module City Autocomplete versions prior to 1.8.12 (for PrestaShop version 1.5/1.6) PrestaShop module City Autocomplete versions prior to 2.0.3 (for PrestaShop version 1.7)

Description The issue allows remote attackers to execute arbitrary SQL commands via the type, input name, or q parameter in the "autocompletion.php" front controller. This can lead to unauthorized access and manipulation of database content.

Recommendations For PrestaShop module City Autocomplete versions prior to 1.8.12 (for PrestaShop version 1.5/1.6), update to version 1.8.12 or later. For PrestaShop module City Autocomplete versions prior to 2.0.3 (for PrestaShop version 1.7), update to version 2.0.3 or later. As a temporary workaround, consider restricting access to the autocompletion.php front controller until a patch is applied. Avoid using the type, input name, or q parameters in the affected API endpoint until the issue is resolved.