CVE-2022-31181
published 2022-08-01CVE-2022-31181: PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.07%
91.3th percentile
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prestashop | prestashop | — | — |
| prestashop | prestashop | >= 1.6.0.10 < 1.7.8.7 | 1.7.8.7 |
| prestashop | prestashop | >= 1.6.0.10 < 1.7.8.7 | 1.7.8.7 |
Detection & IOCsextracted from sources · hover to see the quote
commandid_wishlist={{id_wishlist}}&order=product.price;UPDATE+ps_configuration+SET+value+=1+WHERE+name+LIKE+'%_SMARTY_CACHE';--.desc&from-xhr=↗
commandid_wishlist={{id_wishlist}}&order=product.price;UPDATE+ps_configuration+SET+value+='mysql'+WHERE+name+LIKE+'%_SMARTY_CACHING_TYPE';--.desc&from-xhr=↗
commandid_wishlist={{id_wishlist}}&order=product.price;UPDATE+ps_smarty_cache+SET+content=concat(content,"echo+md5('{{num}}');");--.desc&from-xhr=↗
- →Exploit chain begins with account creation POST to /login?create_account=1, followed by wishlist API calls to /module/blockwishlist/action and /module/blockwishlist/view — monitor for these sequential requests from the same source IP. ↗
- →SQL injection payload is injected into the `order` parameter of POST /module/blockwishlist/view; look for semicolons and SQL keywords (UPDATE, SET, WHERE, LIKE) in that parameter. ↗
- →Attacker enables MySQL Smarty caching by updating ps_configuration table, then injects PHP code into ps_smarty_cache.content via concat(), which is later eval'd — detect UPDATE statements targeting ps_smarty_cache or ps_configuration in SQL logs. ↗
- →Successful RCE verification produces the MD5 hash c8c605999f3d8352d7bb792cf3fdb25b (md5('999999999')) in the HTTP response body — alert on this value appearing in web server responses. ↗
- →Shodan fingerprinting queries for exposed PrestaShop instances: http.component:"Prestashop" or cpe:"cpe:2.3:a:prestashop:prestashop". ↗
- →The exploit restores original configuration after execution (sets SMARTY_CACHE back to 0 and SMARTY_CACHING_TYPE back to 'filesystem') — a rapid sequence of opposing UPDATE statements on ps_configuration is a strong behavioral indicator. ↗
- ·The vulnerability only exists when the MySQL Smarty cache feature is enabled (or can be enabled via SQL injection). Instances using filesystem caching exclusively and not vulnerable to the SQLi may not be exploitable end-to-end. ↗
- ·Affected version range is 1.6.0.10 through 1.7.8.6 inclusive; version 1.7.8.7 contains the fix. Detections should be scoped to these versions. ↗
- ·The exploit requires the blockwishlist module to be installed and active on the PrestaShop instance; shops without this module are not exploitable via this attack path. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
PrestaShop eval injection possible if shop vulnerable to SQL injection
osv·2022-07-29
CVE-2022-31181 [CRITICAL] PrestaShop eval injection possible if shop vulnerable to SQL injection
PrestaShop eval injection possible if shop vulnerable to SQL injection
### Impact
Eval injection possible if the shop is vulnerable to an SQL injection.
### Patches
The problem is fixed in version 1.7.8.7
### Workarounds
Delete the MySQL Smarty cache feature by removing these lines in the file `config/smarty.config.inc.php` lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):
```php
if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
$smarty->caching_type = 'mysql';
}
```
GHSA
PrestaShop eval injection possible if shop vulnerable to SQL injection
ghsa·2022-07-29
CVE-2022-31181 [CRITICAL] CWE-89 PrestaShop eval injection possible if shop vulnerable to SQL injection
PrestaShop eval injection possible if shop vulnerable to SQL injection
### Impact
Eval injection possible if the shop is vulnerable to an SQL injection.
### Patches
The problem is fixed in version 1.7.8.7
### Workarounds
Delete the MySQL Smarty cache feature by removing these lines in the file `config/smarty.config.inc.php` lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):
```php
if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
$smarty->caching_type = 'mysql';
}
```
VulnCheck
prestashop prestashop Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-31181 [CRITICAL] prestashop prestashop Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
prestashop prestashop Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.
Affected: prestashop prestashop
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://build.prestashop-project.org/news/2022/major-security-vulnerability-on-prestashop-websites/
No detection rules found.
Nuclei
PrestaShop - SQL Injection to Eval Injection
nuclei·CVSS 9.8
CVE-2022-31181 [CRITICAL] PrestaShop - SQL Injection to Eval Injection
PrestaShop - SQL Injection to Eval Injection
PrestaShop versions from 1.6.0.10 and before 1.7.8.7 contain an SQL injection caused by unsanitized user input, letting attackers chain the vulnerability to call PHP's Eval function, exploit requires attacker to send malicious input.
Template:
id: CVE-2022-31181
info:
name: PrestaShop - SQL Injection to Eval Injection
author: daffainfo
severity: critical
description: |
PrestaShop versions from 1.6.0.10 and before 1.7.8.7 contain an SQL injection caused by unsanitized user input, letting attackers chain the vulnerability to call PHP's Eval function, exploit requires attacker to send malicious input.
remediation: |
Upgrade to version 1.7.8.7 or later. Alternatively, delete the MySQL Smarty cache feature if upgrade is not possible.
impact: |
At
No writeups or analysis indexed.
https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4
2022-08-01
Published
Exploited in the wild