CVE-2022-44727
published 2022-11-10CVE-2022-44727: The EU Cookie Law GDPR (Banner + Blocker) module before 2.1.3 for PrestaShop allows SQL Injection via a cookie ( lgcookieslaw or __lglaw ).
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
2.40%
81.9th percentile
The EU Cookie Law GDPR (Banner + Blocker) module before 2.1.3 for PrestaShop allows SQL Injection via a cookie ( lgcookieslaw or __lglaw ).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lineagrafica | eu_cookie_law_gdpr | < 2.1.3 | 2.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
path/modules/lgcookieslaw/views/css/front.css
path/modules/lgcookieslaw/views/js/front.js
command2,3,4,5) AND (SELECT {{rand_num}} FROM (SELECT(SLEEP(10)))vkBH) AND (9297=9297
- →Detect exploitation attempts by monitoring HTTP requests carrying the __lglaw or lgcookieslaw cookie containing SQL time-based blind injection payloads (e.g., SLEEP()).
- →Flag requests to the PrestaShop root (GET /) that include X-Requested-With: XMLHttpRequest and a Cookie header containing __lglaw or lgcookieslaw with SQL metacharacters such as parentheses, AND, SELECT, or SLEEP.
- →Presence of the module paths /modules/lgcookieslaw/views/css/front.css or /modules/lgcookieslaw/views/js/front.js returning HTTP 200 with body containing 'lgcookieslaw' confirms the vulnerable module is installed and active.
- →Time-based detection: a response duration >= 10 seconds to a crafted __lglaw or lgcookieslaw cookie payload (containing SLEEP(10)) with HTTP 200 status is a strong indicator of successful blind SQLi exploitation.
- →The lgcookieslaw v2 cookie payload is Base64-encoded JSON; decode the lgcookieslaw cookie value and inspect the lgcookieslaw_accepted_purposes array for SQL injection strings.
- →Use Shodan queries http.component:"Prestashop" or http.component:"prestashop" to identify internet-exposed PrestaShop instances that may be running the vulnerable lgcookieslaw module.
- ·The vulnerability is unauthenticated (PR:N/UI:N) and exploitable via a simple cookie header, meaning no session or login is required to trigger the SQL injection. ↗
- ·The module is only vulnerable in versions before 2.1.3; the detection template first fingerprints the module's static assets before sending the injection payload, reducing false positives.
- ·Time-based detection requires a 20-second request timeout; standard WAF/proxy timeouts shorter than this may cause missed detections.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
PrestaShop lgcookieslaw - SQL Injection
nuclei·CVSS 9.1
CVE-2022-44727 [CRITICAL] PrestaShop lgcookieslaw - SQL Injection
PrestaShop lgcookieslaw - SQL Injection
The EU Cookie Law GDPR (Banner + Blocker) PrestaShop module before 2.1.3 allows blind SQL injection via the __lglaw or lgcookieslaw cookie used to store user consent choices.
Template:
id: CVE-2022-44727
info:
name: PrestaShop lgcookieslaw - SQL Injection
author: mastercho
severity: critical
description: |
The EU Cookie Law GDPR (Banner + Blocker) PrestaShop module before 2.1.3 allows blind SQL injection via the __lglaw or lgcookieslaw cookie used to store user consent choices.
impact: |
Successful exploitation allows unauthenticated attackers to read or modify the shop database, including customer PII and payment-related data.
remediation: |
Upgrade the lgcookieslaw module to version 2.1.3 or later.
reference:
- https://nvd.nist.gov/vuln/detail/
No writeups or analysis indexed.
https://addons.prestashop.com/en/legal/8734-eu-cookie-law-gdpr-banner-blocker.htmlhttps://securityandstuff.com/posts/cve-2022-44727/https://www.lineagrafica.es/modp/lgcookieslaw/en/readme_en.pdfhttps://addons.prestashop.com/en/legal/8734-eu-cookie-law-gdpr-banner-blocker.htmlhttps://securityandstuff.com/posts/cve-2022-44727/https://www.lineagrafica.es/modp/lgcookieslaw/en/readme_en.pdf
2022-11-10
Published