exploitDog

CVE-2021-37538

Опубликовано: 24 авг. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Высокий

Описание

Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller.

Ссылки

https://blog.sorcery.ie/posts/smartblog_sqli/
Exploit
Third Party Advisory
https://classydevs.com/free-modules/smartblog/
Product
Vendor Advisory
https://blog.sorcery.ie/posts/smartblog_sqli/
Exploit
Third Party Advisory
https://classydevs.com/free-modules/smartblog/
Product
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:smartdatasoft:smartblog:*:*:*:*:*:prestashop:*:*

Версия до 4.06 (исключая)

EPSS

Процентиль: 100%

0.89404

Высокий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-8v9p-7c45-26j2

github

больше 3 лет назад

Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller.

EPSS

Процентиль: 100%

0.89404

Высокий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-89