blockwishlist- PrestaShop module vulnerability (CVE-2022-31101)

Moduleblockwishlist

Score

8.8 High

Date publish

27-06-2022

Versiones afectadas

Less than 2.1.1

Description

prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.

References

http://packetstormsecurity.com/files/168...

Exploit Third Party Advisory VDB Entry github.com

https://github.com/PrestaShop/blockwishl...

Patch Third Party Advisory github.com

https://github.com/PrestaShop/blockwishl...

Third Party Advisory github.com

http://packetstormsecurity.com/files/168...

Exploit Third Party Advisory VDB Entry

https://github.com/PrestaShop/blockwishl...

Patch Third Party Advisory

https://github.com/PrestaShop/blockwishl...

Third Party Advisory

Metrics

cvssMetricV31
source	security-advisories@github.com	nvd@nist.gov
type	Secondary	Primary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
baseScore	8.1	8.8
baseSeverity	HIGH	HIGH
attackVector	NETWORK	NETWORK
attackComplexity	LOW	LOW
privilegesRequired	LOW	LOW
userInteraction	NONE	NONE
scope	UNCHANGED	UNCHANGED
confidentialityImpact	HIGH	HIGH
integrityImpact	HIGH	HIGH
availabilityImpact	NONE	HIGH
exploitabilityScore	2.8	2.8
impactScore	5.2	5.9
cvssMetricV2
source	nvd@nist.gov
type	Primary
version	2.0
vectorString	AV:N/AC:L/Au:S/C:P/I:P/A:P
baseScore	6.5
accessVector	NETWORK
accessComplexity	LOW
authentication	SINGLE
confidentialityImpact	PARTIAL
integrityImpact	PARTIAL
availabilityImpact	PARTIAL
baseSeverity	MEDIUM
exploitabilityScore	8
impactScore	6.4
acInsufInfo	False
obtainAllPrivilege	False
obtainUserPrivilege	False
obtainOtherPrivilege	False
userInteractionRequired	False