-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unsanitized user input being used in SQL query construction. The commit diff shows the patch added Validate::isOrderBy() and Validate::isOrderWay() checks before the ORDER BY clause. In vulnerable versions, the code directly concatenated $sortOrder and $sortWay (from user-controlled query->getSortOrder()) into the SQL statement through $querySearch->orderBy(), enabling injection. The getProductsOrCount method is the entry point where untrusted sorting parameters flow into SQL without validation.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| prestashop/blockwishlist | composer | >= 2.0.0, < 2.1.1 | 2.1.1 |