CVE-2022-31101
published 2022-06-27CVE-2022-31101: prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
24.15%
97.6th percentile
prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prestashop | blockwishlist | < 2.1.1 | 2.1.1 |
| prestashop | blockwishlist | — | — |
| prestashop | blockwishlist | >= 2.0.0 < 2.1.1 | 2.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandp.name, (select case when (<condition>) then (SELECT SLEEP(7)) else 1 end from ps_customer where id_customer=<id>); -- .asc↗
- →Detect version-check requests to the blockwishlist config.xml endpoint; a 200 response with body containing 'Wishlist block' and version between 2.0.0 and 2.1.0 (exclusive of 2.1.1) indicates a vulnerable installation. ↗
- →Monitor GET requests to /module/blockwishlist/view with an `order` parameter containing SQL time-based blind injection payloads, specifically patterns matching `SLEEP(`, `case when`, and `-- .` in the query string. ↗
- →Alert on requests to the blockwishlist view endpoint where the `order` parameter contains substrings such as `SELECT SLEEP`, `SUBSTRING(database()`, `SUBSTRING(firstname`, `SUBSTRING(passwd`, or `SUBSTRING(reset_password_token` — all indicative of time-based blind SQLi enumeration against the ps_customer table. ↗
- →The exploit targets the default PrestaShop table prefix `ps_`; specifically the `ps_customer` table to exfiltrate firstname, lastname, email, passwd, and reset_password_token columns via time-based blind injection. ↗
- →Requests with a timeout of 8 seconds or more to the blockwishlist view endpoint, combined with SQL keywords in the `order` parameter, are characteristic of the time-based blind SQLi exploit (SLEEP(7) used as the delay). ↗
- ·The exploit assumes the default PrestaShop table prefix `ps_` is in use; installations using a custom prefix will not be targeted by this specific payload pattern. ↗
- ·Exploitation requires an authenticated customer session; the attacker must supply a valid session cookie to the vulnerable endpoint. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
BlockWishList SQL Injection vulnerability
ghsa·2022-06-25
CVE-2022-31101 [HIGH] CWE-89 BlockWishList SQL Injection vulnerability
BlockWishList SQL Injection vulnerability
### Impact
An authenticated customer can perform SQL injection
### Patches
Issue is fixed in 2.1.1
OSV
BlockWishList SQL Injection vulnerability
osv·2022-06-25
CVE-2022-31101 [HIGH] BlockWishList SQL Injection vulnerability
BlockWishList SQL Injection vulnerability
### Impact
An authenticated customer can perform SQL injection
### Patches
Issue is fixed in 2.1.1
No detection rules found.
Exploit-DB
Prestashop blockwishlist module 2.1.0 - SQLi
exploitdb·2022-08-09·CVSS 8.1
CVE-2022-31101 [HIGH] Prestashop blockwishlist module 2.1.0 - SQLi
Prestashop blockwishlist module 2.1.0 - SQLi
---
# Exploit Title: Prestashop blockwishlist module 2.1.0 - SQLi
# Date: 29/07/22
# Exploit Author: Karthik UJ (@5up3r541y4n)
# Vendor Homepage: https://www.prestashop.com/en
# Software Link (blockwishlist): https://github.com/PrestaShop/blockwishlist/releases/tag/v2.1.0
# Software Link (prestashop): https://hub.docker.com/r/prestashop/prestashop/
# Version (blockwishlist): 2.1.0
# Version (prestashop): 1.7.8.1
# Tested on: Linux
# CVE: CVE-2022-31101
# This exploit assumes that the website uses 'ps_' as prefix for the table names since it is the default prefix given by PrestaShop
import requests
url = input("Enter the url of wishlist's endpoint (http://website.com/module/blockwishlist/view?id_wishlist=1): ") # Example: http://website.com
Nuclei
Prestashop Blockwishlist 2.1.0 SQL Injection
nuclei·CVSS 8.8
CVE-2022-31101 [HIGH] Prestashop Blockwishlist 2.1.0 SQL Injection
Prestashop Blockwishlist 2.1.0 SQL Injection
Prestashop Blockwishlist module version 2.1.0 suffers from a remote authenticated SQL injection vulnerability.
Template:
id: CVE-2022-31101
info:
name: Prestashop Blockwishlist 2.1.0 SQL Injection
author: mastercho
severity: high
description: |
Prestashop Blockwishlist module version 2.1.0 suffers from a remote authenticated SQL injection vulnerability.
impact: |
Authenticated attackers can exploit SQL injection in the Blockwishlist module to extract sensitive database information including customer details, order data, and admin credentials from the PrestaShop database.
remediation: |
Update Prestashop Blockwishlist module to a version newer than 2.1.0 that properly sanitizes user input and uses parameterized queries.
reference:
- https://c
No writeups or analysis indexed.
http://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.htmlhttps://github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpphttp://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.htmlhttps://github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp
2022-06-27
Published