CVE-2020-26248 Blind SQL injection during the CommentGrade process

2020-12-0320:55:13

CWE-89

GitHub_M

www.cve.org

cve-2020-26248

blind sql injection

commentgrade process

prestashop

productcomments

version 4.2.1

mysql service

CVSS3

6.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

AI Score

8.4

Confidence

High

EPSS

0.019

Percentile

88.5%

JSON

In the PrestaShop module “productcomments” before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.

CNA Affected

[
  {
    "product": "productcomments",
    "vendor": "PrestaShop",
    "versions": [
      {
        "status": "affected",
        "version": ">= 4.0.0, < 4.2.1"
      }
    ]
  }
]