cbcvebase.
CVE-2020-26248
published 2020-12-03

CVE-2020-26248: In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The…

PriorityP263high8.2CVSS 3.1
AVNACLPRNUINSUCLINAH
EXPLOIT
EPSS
12.39%
95.7th percentile
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.

Affected

3 ranges
VendorProductVersion rangeFixed in
prestashopproductcomments< 4.2.14.2.1
prestashopproductcomments
prestashopproductcomments>= 4.0.0 < 4.2.14.2.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL]
urlhttp://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)
command(select*from(select(sleep(2)))a)
sigma
detection:
  selection:
    - 'status_code == 200'
    - 'contains(content_type, "application/json")'
    - 'contains(body, "average_grade")'
  condition: and
# digest: 4a0a00473045022100c8980629d0402e4ee52f520fd18f54d9d8ab769396ab3a6d571570e2366fd06602206969879476e8e31dcf224c4ecccbda6b11a1073874b122d0c6d44f9d9c5e160c:922c64590222798bb761d5b6d8e72950
  • Monitor HTTP requests targeting the PrestaShop ProductComments module endpoint: index.php with query parameters fc=module, module=productcomments, controller=CommentGrade, and a potentially malicious id_products[] value containing SQL payloads (e.g., sleep(), nested SELECT statements).
  • Alert on HTTP responses with status 200, Content-Type application/json, and body containing 'average_grade' — this is the successful exploitation response fingerprint for the blind SQLi probe against the CommentGrade controller.
  • The vulnerable parameter is 'id_products[]' (URL-encoded as id_products%5B%5D). Inspect this array parameter for time-based blind SQL injection patterns such as sleep() or nested SELECT subqueries.
  • ·The vulnerability is fixed in productcomments module version 4.2.1. Ensure the installed module version is 4.2.1 or later; versions <= 4.2.0 are vulnerable.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.