PT-2018-18646 · Prestashop · Prestashop+1

Andrea Iodice

·

Publicado

2018-05-10

·

Atualizado

2018-06-13

·

CVE-2018-8824

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions PrestaShop versions 1.5.5.0 through 1.7.2.5 Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module version 1.0.32
Description The issue allows remote attackers to execute a SQL Injection through function calls in the code parameter of the ajax phpcode.php file in the Responsive Mega Menu module.
Recommendations For PrestaShop versions 1.5.5.0 through 1.7.2.5, consider disabling the ajax phpcode.php file in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module until a patch is available. For the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module version 1.0.32, avoid using the code parameter in the affected API endpoint until the issue is resolved.

Exploit

Correção

RCE

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2018-8824

Produtos afetados

Prestashop
Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro