cbcvebase.
CVE-2020-15160
published 2020-09-24

CVE-2020-15160: PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.81%
95.3th percentile
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8

Affected

2 ranges
VendorProductVersion rangeFixed in
prestashopprestashop
prestashopprestashop>= 1.7.5.0 < 1.7.6.81.7.6.8

Detection & IOCsextracted from sources · hover to see the quote

other0'|(ascii(substr(user(),%d,1)) regexp [CHAR])#
other0'|ascii((substr((select passwd from ps_employee),1,1)) regexp [CHAR]#)
pathform[step3][location]
  • Monitor POST requests to the PrestaShop admin Catalog Product edition page for SQL injection patterns in the `form[step3][location]` parameter, specifically payloads containing bitwise OR with ascii/substr/regexp constructs (e.g., `0'|(...regexp...)#`).
  • Blind SQLi is performed by iterating over character positions (range 1–40) using `ascii(substr(...))` with a regexp-based boolean oracle; detect repeated near-identical POST requests to the product edit endpoint differing only in the location field value.
  • The exploit targets extraction of the `passwd` column from the `ps_employee` table; alert on SQL fragments referencing `ps_employee` in HTTP POST body parameters.
  • ·The vulnerability affects PrestaShop versions 1.7.5.0 through 1.7.6.7 only; version 1.7.6.8 is patched. Detection rules should be scoped to unpatched instances.
  • ·Exploitation requires authenticated admin access to the back-office Catalog Product edition page; unauthenticated detection rules will produce false negatives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.