CVE-2020-26248

MEDIUM NUCLEI

PrestaShop productcomments <4.2.1 - SQL Injection

Title source: llm

Description

In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.

Nuclei Templates (1)

PrestaShop Product Comments <4.2.0 - SQL Injection

HIGHVERIFIEDby edoardottt

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html

[Patch, Third Party Advisory] https://github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301cd45ffa

View Patch ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/PrestaShop/productcomments/releases/tag/v4.2.1

[Third Party Advisory] https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9

[Release Notes, Third Party Advisory] https://packagist.org/packages/prestashop/productcomments

Scores

CVSS v3 6.8

EPSS 0.7737

EPSS Percentile 99.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Details

CWE

CWE-89

Status published

Products (2)

prestashop/productcomments < 4.2.1

prestashop/productcomments 4.0.0 - 4.2.1Packagist

Published Dec 03, 2020

Tracked Since Feb 18, 2026