Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
The store system in PrestaShop 126.96.36.199 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products parameter.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 9.8 Critical as per NVD. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1.3 Affected Version
1.4 Vulnerability Attribution
This vulnerability is disclosed by MITRE.
1.5 Risk Impact
PrestaShop is a freemium, open source e-commerce platform. The software is published under the Open Software License. It is written in the PHP programming language with support for the MySQL database management system. PrestaShop is currently used by 300,000 shops worldwide and is available in 60 different languages.
Exploiting this vulnerability can lead to attacker planting a backdoor via SQL commands to exposure of all sensitive data that resides in the database, including all employee sensitive information. Exploit is available in public domain here.
1.6 Virsec Security Platform (VSP) Support:
VSP-Web capability can detect such a SQL injection attack and prevent this attack from being exploited.