PT-2021-10530 · Nuishop · Nuishop

Published

2021-08-26

Updated

2021-08-27

CVE-2020-20675

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Nuishop version 2.3

Description: The issue is a SQL injection vulnerability located in the /goods/getGoodsListByConditions/ endpoint. This vulnerability can potentially be exploited to extract or modify sensitive data from the database.

Recommendations: For Nuishop version 2.3, consider restricting access to the /goods/getGoodsListByConditions/ endpoint until a patch is available. As a temporary workaround, avoid using parameters that could be used to inject malicious SQL code in this endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-20675

Affected Products

Nuishop

PT-2021-10530 · Nuishop · Nuishop

CVE-2020-20675

Weakness Enumeration

Related Identifiers

Affected Products

References · 6