Vulnerability Details CVE-2020-26248
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.81
EPSS Ranking 99.1%
CVSS Severity
CVSS v3 Score 6.8
CVSS v2 Score 6.4
References
- http://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html
- https://github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301cd45ffa
- https://github.com/PrestaShop/productcomments/releases/tag/v4.2.1
- https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9
- https://packagist.org/packages/prestashop/productcomments
- http://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html
- https://github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301cd45ffa
- https://github.com/PrestaShop/productcomments/releases/tag/v4.2.1
- https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9
- https://packagist.org/packages/prestashop/productcomments
Products affected by CVE-2020-26248
-
cpe:2.3:a:prestashop:productcomments:3.6.0
-
cpe:2.3:a:prestashop:productcomments:3.6.1
-
cpe:2.3:a:prestashop:productcomments:4.0.0
-
cpe:2.3:a:prestashop:productcomments:4.0.1
-
cpe:2.3:a:prestashop:productcomments:4.1.0
-
cpe:2.3:a:prestashop:productcomments:4.2.0