CVE-2022-31181

CRITICAL EXPLOITED NUCLEI

PrestaShop <1.7.8.7 - SQL Injection

Title source: llm

Description

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.

Exploits (1)

nomisec WORKING POC

by drkbcn · poc

https://github.com/drkbcn/lblfixer_cve_2022_31181

View Code ZIP pw:eip

Nuclei Templates (1)

PrestaShop - SQL Injection to Eval Injection

CRITICALVERIFIEDby daffainfo

Shodan: http.component:"Prestashop" || cpe:"cpe:2.3:a:prestashop:prestashop" || http.component:"prestashop"

References (3)

[Patch, Third Party Advisory] https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804

[Release Notes, Third Party Advisory] https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7

[Mitigation, Third Party Advisory] https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4

Scores

CVSS v3 9.8

EPSS 0.7827

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-07-22

CWE

CWE-74 CWE-89

Status published

Products (2)

prestashop/prestashop 1.6.0.10 - 1.7.8.7

prestashop/prestashop 1.6.0.10 - 1.7.8.7Packagist

Published Aug 01, 2022

Tracked Since Feb 18, 2026