CVE-2020-26248: Blind SQL injection in PrestaShop productcomments module
8.2
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99095%
CWE
Published
1/20/2021
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
prestashop/productcomments | composer | >= 4.0.0, < 4.2.1 | 4.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper input validation of numeric parameters used in SQL queries. Key indicators:
- The patch focused on adding integer casting (intval/(int)) to user-controlled inputs
- Affected files handled product IDs and pagination parameters
- pSQL() (string escaping) was replaced with integer casting in repository methods, indicating prior insufficient sanitization
- SQL query construction patterns in ProductCommentRepository show direct parameter interpolation vulnerable to injection
- CWE-89 classification confirms classic SQL injection pattern through unvalidated user input in SQL context