logo

Database

SQL injection - Code In prestashop/prestashop

Description

PrestaShop eval injection possible if shop vulnerable to SQL injection

Impact

Eval injection possible if the shop is vulnerable to an SQL injection.

Patches

The problem is fixed in version 1.7.8.7

Workarounds

Delete the MySQL Smarty cache feature by removing these lines in the file config/smarty.config.inc.php lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
    include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
    $smarty->caching_type = 'mysql';
}

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-311812. NVD-2022-311813. OSV-2022-311814. GHSA-hrgx-p36p-89q45. GCVE-2022-31181

References

1. https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q42. https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af8043. https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.74. https://vulncheck.com/cve/CVE-2022-311815. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-31181.yaml6. https://github.com/drkbcn/lblfixer_cve_2022_31181

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.