cbcvebase.
CVE-2021-37538
published 2021-08-24

CVE-2021-37538: Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.49%
99.4th percentile
Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller.

Affected

1 ranges
VendorProductVersion rangeFixed in
smartdatasoftsmartblog< 4.064.06

Detection & IOCsextracted from sources · hover to see the quote

url/module/smartblog/archive?month=1&year=1&day=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,(SELECT%20MD5(55555)),NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-
path/controllers/front/archive.php
path/controllers/front/category.php
  • Detect exploitation attempts targeting the SmartBlog archive endpoint via UNION-based SQL injection in the `day`, `month`, or `year` GET parameters.
  • Detect exploitation attempts targeting the SmartBlog category endpoint via SQL injection in the `id_category` GET parameter.
  • The PoC probe uses a UNION ALL SELECT with 23 columns and MD5(55555); a response body containing the MD5 digest `c5fe25896e49ddfe996db7508cf00534` with HTTP 200 confirms blind/union SQLi success.
  • Unauthenticated remote attacker; no session or authentication token is required to trigger the vulnerability — monitor for UNION SELECT payloads on /module/smartblog/ paths from unauthenticated sessions.
  • ·Vulnerability is only present in SmartBlog for PrestaShop versions before 4.0.6; patched installations are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.