CVE-2022-31181

Remote code execution in prestashop

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.

PrestaShop es una plataforma de comercio electrónico de código abierto. En las versiones a partir de 1.6.0.10 y anteriores a 1.7.8.7, PrestaShop está sujeta a una vulnerabilidad de inyección SQL que puede ser encadenada para llamar a la función Eval de PHP en la entrada del atacante. El problema ha sido solucionado en versión 1.7.8.7. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar pueden eliminar la función de caché MySQL Smarty

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-08-01 CVE Published
2024-02-22 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (3)

URL	Tag	Source
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7	Release Notes
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4	Mitigation

URL	Date	SRC

URL	Date	SRC
https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804	2022-09-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Prestashop Search vendor "Prestashop"		Prestashop Search vendor "Prestashop" for product "Prestashop"				>= 1.6.0.10 < 1.7.8.7 Search vendor "Prestashop" for product "Prestashop" and version " >= 1.6.0.10 < 1.7.8.7"		-		Affected