CVE-2021-37538

Name of the Vulnerable Software and Affected Versions SmartDataSoft SmartBlog for PrestaShop versions prior to 4.06

Description The issue allows a remote unauthenticated attacker to execute arbitrary SQL commands. This can be achieved via the day, month, or year parameter to the "controllers/front/archive.php" archive controller, or the id category parameter to the "controllers/front/category.php" category controller.

Recommendations For versions prior to 4.06, update to version 4.06 or later to resolve the issue. As a temporary workaround, consider restricting access to the archive and category controllers until a patch is available. Avoid using the day, month, year, and id category parameters in the affected API endpoints until the issue is resolved.