CVE-2023-45377 is a critical SQL injection vulnerability identified in the "Chronopost Official" module for PrestaShop, specifically within the PHP script cancelSkybill.php. This vulnerability allows an unauthenticated guest user to perform SQL injection attacks by sending a crafted HTTP request to the vulnerable script. The injection point lies in sensitive SQL calls within cancelSkybill.php, which are improperly sanitized, enabling attackers to manipulate backend database queries. Exploiting this flaw can lead to full compromise of the database confidentiality, integrity, and availability. Attackers can extract sensitive data, modify or delete records, and potentially execute further attacks such as privilege escalation or remote code execution depending on the backend environment. The vulnerability has a CVSS 3.1 score of 9.8, indicating critical severity with network attack vector, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the trivial nature of exploitation and the critical impact make this a high-risk issue. The vulnerability stems from CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and dangerous class of injection flaws. Since PrestaShop is a widely used e-commerce platform, and Chronopost is a popular shipping module, this vulnerability can affect many online stores that rely on this integration for shipping label cancellation or management. The lack of specified affected versions suggests the issue may be present in multiple or all versions of the module currently deployed.

For European organizations, especially e-commerce businesses using PrestaShop with the Chronopost Official module, this vulnerability poses a severe risk. Successful exploitation can lead to unauthorized access to customer data, order information, and potentially payment details stored in the database. This compromises GDPR compliance and can result in significant financial penalties and reputational damage. Additionally, attackers could disrupt shipping operations by manipulating or cancelling shipments, causing logistical and operational disruptions. The critical nature of the vulnerability means attackers can fully compromise the backend database without authentication, increasing the risk of widespread data breaches. Given Chronopost is a major French shipping service provider, European companies relying on this module for shipping integration are particularly at risk. The vulnerability could also be leveraged as a pivot point for further attacks within the corporate network, impacting broader IT infrastructure and business continuity.

Immediate mitigation steps include: 1) Applying any available patches or updates from the Chronopost Official module developers or PrestaShop community as soon as they are released. 2) If patches are not yet available, temporarily disabling or removing the cancelSkybill.php script or the entire Chronopost module to prevent exploitation. 3) Implementing Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the module's endpoints. 4) Conducting thorough input validation and sanitization on all parameters accepted by cancelSkybill.php to prevent injection. 5) Reviewing database permissions to ensure the application uses least privilege principles, limiting the impact of any injection. 6) Monitoring web server and application logs for suspicious HTTP requests indicative of SQL injection attempts. 7) Performing security audits and penetration testing focused on this module to identify any additional weaknesses. 8) Educating development and operations teams about secure coding practices to prevent similar vulnerabilities in custom modules or integrations.