cbcvebase.
CVE-2022-44727
published 2022-11-10

CVE-2022-44727: The EU Cookie Law GDPR (Banner + Blocker) module before 2.1.3 for PrestaShop allows SQL Injection via a cookie ( lgcookieslaw or __lglaw ).

PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
2.40%
81.9th percentile
The EU Cookie Law GDPR (Banner + Blocker) module before 2.1.3 for PrestaShop allows SQL Injection via a cookie ( lgcookieslaw or __lglaw ).

Affected

1 ranges
VendorProductVersion rangeFixed in
lineagraficaeu_cookie_law_gdpr< 2.1.32.1.3

Detection & IOCsextracted from sources · hover to see the quote

cookie__lglaw
cookielgcookieslaw
path/modules/lgcookieslaw/views/css/front.css
path/modules/lgcookieslaw/views/js/front.js
command2,3,4,5) AND (SELECT {{rand_num}} FROM (SELECT(SLEEP(10)))vkBH) AND (9297=9297
  • Detect exploitation attempts by monitoring HTTP requests carrying the __lglaw or lgcookieslaw cookie containing SQL time-based blind injection payloads (e.g., SLEEP()).
  • Flag requests to the PrestaShop root (GET /) that include X-Requested-With: XMLHttpRequest and a Cookie header containing __lglaw or lgcookieslaw with SQL metacharacters such as parentheses, AND, SELECT, or SLEEP.
  • Presence of the module paths /modules/lgcookieslaw/views/css/front.css or /modules/lgcookieslaw/views/js/front.js returning HTTP 200 with body containing 'lgcookieslaw' confirms the vulnerable module is installed and active.
  • Time-based detection: a response duration >= 10 seconds to a crafted __lglaw or lgcookieslaw cookie payload (containing SLEEP(10)) with HTTP 200 status is a strong indicator of successful blind SQLi exploitation.
  • The lgcookieslaw v2 cookie payload is Base64-encoded JSON; decode the lgcookieslaw cookie value and inspect the lgcookieslaw_accepted_purposes array for SQL injection strings.
  • Use Shodan queries http.component:"Prestashop" or http.component:"prestashop" to identify internet-exposed PrestaShop instances that may be running the vulnerable lgcookieslaw module.
  • ·The vulnerability is unauthenticated (PR:N/UI:N) and exploitable via a simple cookie header, meaning no session or login is required to trigger the SQL injection.
  • ·The module is only vulnerable in versions before 2.1.3; the detection template first fingerprints the module's static assets before sending the injection payload, reducing false positives.
  • ·Time-based detection requires a 20-second request timeout; standard WAF/proxy timeouts shorter than this may cause missed detections.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.