Miggo Logo

CVE-2020-26248: Blind SQL injection in PrestaShop productcomments module

8.2

CVSS Score
3.0

Basic Information

EPSS Score
0.99095%
Published
1/20/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/productcommentscomposer>= 4.0.0, < 4.2.14.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper input validation of numeric parameters used in SQL queries. Key indicators:

  1. The patch focused on adding integer casting (intval/(int)) to user-controlled inputs
  2. Affected files handled product IDs and pagination parameters
  3. pSQL() (string escaping) was replaced with integer casting in repository methods, indicating prior insufficient sanitization
  4. SQL query construction patterns in ProductCommentRepository show direct parameter interpolation vulnerable to injection
  5. CWE-89 classification confirms classic SQL injection pattern through unvalidated user input in SQL context

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r **n us* * *lin* SQL inj**tion to r*tri*v* **t* or stop t** MySQL s*rvi**. ### P*t***s T** pro*l*m is *ix** in *.*.*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r input v*li**tion o* num*ri* p*r*m*t*rs us** in SQL qu*ri*s. K*y in*i**tors: *. T** p*t** *o*us** on ***in* int***r **stin* (intv*l/(int)) to us*r-*ontroll** inputs *. *****t** *il*s **n*l** pro*u*t I*s *n* p**i