cbcvebase.
CVE-2022-31101
published 2022-06-27

CVE-2022-31101: prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
24.15%
97.6th percentile
prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
prestashopblockwishlist< 2.1.12.1.1
prestashopblockwishlist
prestashopblockwishlist>= 2.0.0 < 2.1.12.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/modules/blockwishlist/config.xml
url/module/blockwishlist/view?id_wishlist=
command&order=p.name, (select case when (<condition>) then (SELECT SLEEP(7)) else 1 end); -- .asc
commandp.name, (select case when (<condition>) then (SELECT SLEEP(7)) else 1 end from ps_customer where id_customer=<id>); -- .asc
  • Detect version-check requests to the blockwishlist config.xml endpoint; a 200 response with body containing 'Wishlist block' and version between 2.0.0 and 2.1.0 (exclusive of 2.1.1) indicates a vulnerable installation.
  • Monitor GET requests to /module/blockwishlist/view with an `order` parameter containing SQL time-based blind injection payloads, specifically patterns matching `SLEEP(`, `case when`, and `-- .` in the query string.
  • Alert on requests to the blockwishlist view endpoint where the `order` parameter contains substrings such as `SELECT SLEEP`, `SUBSTRING(database()`, `SUBSTRING(firstname`, `SUBSTRING(passwd`, or `SUBSTRING(reset_password_token` — all indicative of time-based blind SQLi enumeration against the ps_customer table.
  • The exploit targets the default PrestaShop table prefix `ps_`; specifically the `ps_customer` table to exfiltrate firstname, lastname, email, passwd, and reset_password_token columns via time-based blind injection.
  • Requests with a timeout of 8 seconds or more to the blockwishlist view endpoint, combined with SQL keywords in the `order` parameter, are characteristic of the time-based blind SQLi exploit (SLEEP(7) used as the delay).
  • ·The exploit assumes the default PrestaShop table prefix `ps_` is in use; installations using a custom prefix will not be targeted by this specific payload pattern.
  • ·Exploitation requires an authenticated customer session; the attacker must supply a valid session cookie to the vulnerable endpoint.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.