bdroppy- PrestaShop module vulnerability (CVE-2023-26865)

Modulebdroppy

Score

9.8 Critical

Date publish

24-04-2023

Versiones afectadas

Less than 2.2.28

Description

SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component.

References

https://bdroppy.com/dropshipping-apps-in...

Product mitre.org

https://friends-of-presta.github.io/secu...

Exploit Mitigation Third Party Advisory mitre.org

https://bdroppy.com/dropshipping-apps-in...

Product

https://friends-of-presta.github.io/secu...

Exploit Mitigation Third Party Advisory

Metrics

cvssMetricV31
source	nvd@nist.gov	134c704f-9b21-4f2e-91b3-4a467353bcc0
type	Primary	Secondary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
baseScore	9.8	9.8
baseSeverity	CRITICAL	CRITICAL
attackVector	NETWORK	NETWORK
attackComplexity	LOW	LOW
privilegesRequired	NONE	NONE
userInteraction	NONE	NONE
scope	UNCHANGED	UNCHANGED
confidentialityImpact	HIGH	HIGH
integrityImpact	HIGH	HIGH
availabilityImpact	HIGH	HIGH
exploitabilityScore	3.9	3.9
impactScore	5.9	5.9