PT-2018-18646 · Prestashop · Prestashop+1

Andrea Iodice

Published

2018-05-10

Updated

2018-06-13

CVE-2018-8824

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PrestaShop versions 1.5.5.0 through 1.7.2.5 Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module version 1.0.32

Description The issue allows remote attackers to execute a SQL Injection through function calls in the code parameter of the ajax phpcode.php file in the Responsive Mega Menu module.

Recommendations For PrestaShop versions 1.5.5.0 through 1.7.2.5, consider disabling the ajax phpcode.php file in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module until a patch is available. For the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module version 1.0.32, avoid using the code parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2018-8824

Affected Products

Prestashop

Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro

PT-2018-18646 · Prestashop · Prestashop+1

CVE-2018-8824

Weakness Enumeration

Related Identifiers

Affected Products

References · 4