CVE-2018-25342

Name of the Vulnerable Software and Affected Versions Smartshop version 1

Description An issue allows unauthenticated attackers to manipulate database queries by injecting SQL code. This is achieved by sending GET requests containing malicious SQL payloads, such as SLEEP commands, through the searched parameter in the 'search.php' endpoint. This time-based blind SQL injection—a technique that relies on the database pausing its response to confirm the presence of data—can be used to extract sensitive information, including system data and product details.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.