Blind SQL injection during the CommentGrade process
CVE-2020-26248

6.8MEDIUM

Key Information:

Vendor: Prestashop
Status: Productcomments
Vendor: CVE Published:; 3 December 2020

What is CVE-2020-26248?

In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.

Affected Version(s)

productcomments >= 4.0.0, < 4.2.1

References

https://github.com/PrestaShop/productcomments/security/ad...

x_refsource_CONFIRM

https://packagist.org/packages/prestashop/productcomments

x_refsource_MISC

https://github.com/PrestaShop/productcomments/commit/7c20...

x_refsource_MISC

EPSS Score

80% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 3, 2020
Vulnerability Reserved
Oct 1, 2020

Prestashop

What is CVE-2020-26248?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline