Skip to content

Blind SQL injection in PrestaShop productcomments module

Low severity GitHub Reviewed Published Dec 3, 2020 in PrestaShop/productcomments • Updated Feb 1, 2023

Package

composer prestashop/productcomments (Composer)

Affected versions

>= 4.0.0, < 4.2.1

Patched versions

4.2.1

Description

Impact

An attacker can use a Blind SQL injection to retrieve data or stop the MySQL service.

Patches

The problem is fixed in 4.2.1

References

@PierreRambaud PierreRambaud published to PrestaShop/productcomments Dec 3, 2020
Published by the National Vulnerability Database Dec 3, 2020
Reviewed Jan 20, 2021
Published to the GitHub Advisory Database Jan 20, 2021
Last updated Feb 1, 2023

Severity

Low

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(99th percentile)

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

CVE ID

CVE-2020-26248

GHSA ID

GHSA-5v44-7647-xfw9

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.