CVE-2022-36408

Name of the Vulnerable Software and Affected Versions PrestaShop versions 1.6.0.10 through 1.7.x before 1.7.8.2

Description The issue is related to a lack of protection against SQL injection attacks, allowing remote attackers to execute arbitrary code. This vulnerability has been exploited in the wild, with reports of attacks in July 2022. The vulnerability affects PrestaShop, a popular e-commerce platform used by at least 300,000 online stores worldwide, available in 60 languages. The threat targets websites using outdated software or modules with known vulnerabilities. Successful exploitation can allow an attacker to send a specially crafted request, enabling them to execute arbitrary instructions, such as injecting a fake payment form on the order confirmation page to collect credit card information. The attack vector involves sending a POST request to a vulnerable endpoint, followed by a GET request to the home page, and then a GET request to a newly created PHP file, allowing the execution of arbitrary instructions.

Recommendations For PrestaShop versions 1.6.0.10 through 1.7.x before 1.7.8.2, update to PrestaShop version 1.7.8.7 to resolve the issue. As a temporary workaround, consider restricting access to vulnerable modules, such as the Wishlist module, to minimize the risk of exploitation. Avoid using vulnerable API endpoints until the issue is resolved.