CVE-2021-37593

Опубликовано: 30 июл. 2021

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data.

Ссылки

http://www.netbytesec.com/advisories/UnauthenticatedBlindSQLInjectionVulnerabilityInPEELShopping/
Exploit
Third Party Advisory
https://github.com/advisto/peel-shopping/issues/3
Exploit
Issue Tracking
Third Party Advisory
https://github.com/faisalfs10x/CVE-IDs/blob/main/2021/CVE-2021-37593/Proof_of_Concept.md
Exploit
Third Party Advisory
http://www.netbytesec.com/advisories/UnauthenticatedBlindSQLInjectionVulnerabilityInPEELShopping/
Exploit
Third Party Advisory
https://github.com/advisto/peel-shopping/issues/3
Exploit
Issue Tracking
Third Party Advisory
https://github.com/faisalfs10x/CVE-IDs/blob/main/2021/CVE-2021-37593/Proof_of_Concept.md
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:peel:peel_shopping:9.4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 72%

0.00699

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-fqhv-hh4c-7x6g

github

больше 3 лет назад

PEEL Shopping before 9.4.0.1 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands via the id parameter on the achat/produit_details.php?id={SQLi] endpoint. Upon a successful SQL injection attack, an attacker can read sensitive data from the database or modify database data.