CVE-2023-30154

Name of the Vulnerable Software and Affected Versions AfterMail (aftermailpresta) for PrestaShop versions prior to 2.2.1

Description The issue is related to multiple improper neutralization of SQL parameters, allowing remote attackers to perform SQL injection attacks. This can be done via parameters such as id customer, id conf, id product, and token in aftermailajax.php, as well as via the id product parameter in hooks DisplayRightColumnProduct and DisplayProductButtons.

Recommendations For versions prior to 2.2.1, update to version 2.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the aftermailajax.php file and limiting the use of the id customer, id conf, id product, and token parameters until a patch is applied. Restrict access to the hooks DisplayRightColumnProduct and DisplayProductButtons to minimize the risk of exploitation via the id product parameter.