First published: Mon Aug 01 2022(Updated: )
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Prestashop Prestashop | >=1.6.0.10<1.7.8.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-31181 is an SQL injection vulnerability in PrestaShop versions from 1.6.0.10 to 1.7.8.6, which can be used to call PHP's Eval function on attacker input.
CVE-2022-31181 has a severity rating of 9.8 (Critical).
CVE-2022-31181 affects PrestaShop versions from 1.6.0.10 to 1.7.8.6, allowing SQL injection attacks and execution of arbitrary PHP code.
To fix the SQL injection vulnerability in PrestaShop, you should upgrade to version 1.7.8.7 or later.
You can find more information about CVE-2022-31181 in the following references: [Link 1](https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804), [Link 2](https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7), [Link 3](https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4).