GSD-2022-31101
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-31101",
"description": "prestashop/blockwishlist is a prestashop extension which adds a block containing the customer\u0027s wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.",
"id": "GSD-2022-31101"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-31101"
],
"details": "prestashop/blockwishlist is a prestashop extension which adds a block containing the customer\u0027s wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.",
"id": "GSD-2022-31101",
"modified": "2023-12-13T01:19:18.262429Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31101",
"STATE": "PUBLIC",
"TITLE": "SQL Injection in prestashop/blockwishlist"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "blockwishlist",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.0.0, \u003c 2.1.1"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "prestashop/blockwishlist is a prestashop extension which adds a block containing the customer\u0027s wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp"
},
{
"name": "https://github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084"
},
{
"name": "http://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.html"
}
]
},
"source": {
"advisory": "GHSA-2jx3-5j9v-prpp",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.1.1",
"affected_versions": "All versions before 2.1.1",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-89",
"CWE-937"
],
"date": "2022-12-09",
"description": "prestashop/blockwishlist is a prestashop extension which adds a block containing the customer\u0027s wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.",
"fixed_versions": [
"2.1.1"
],
"identifier": "CVE-2022-31101",
"identifiers": [
"CVE-2022-31101",
"GHSA-2jx3-5j9v-prpp",
"GMS-2022-2654"
],
"not_impacted": "All versions starting from 2.1.1",
"package_slug": "packagist/prestashop/blockwishlist",
"pubdate": "2022-06-27",
"solution": "Upgrade to version 2.1.1 or above.",
"title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-31101",
"https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp",
"https://github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084",
"https://github.com/advisories/GHSA-2jx3-5j9v-prpp"
],
"uuid": "1cbf4658-a3a7-4127-8d09-2d32ff0480bc"
},
{
"affected_range": "\u003c0",
"affected_versions": "All versions starting from 2.0.0 before 2.1.1",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-06-25",
"description": "### Impact\nAn authenticated customer can perform SQL injection\n\n### Patches\nIssue is fixed in 2.1.1\n",
"fixed_versions": [
"2.1.1"
],
"identifier": "GMS-2022-2654",
"identifiers": [
"GHSA-2jx3-5j9v-prpp",
"GMS-2022-2654",
"CVE-2022-31101"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.1.1",
"package_slug": "packagist/prestashop/blockwishlist",
"pubdate": "2022-06-25",
"solution": "Upgrade to version 2.1.1 or above.",
"title": "Duplicate of ./packagist/prestashop/blockwishlist/CVE-2022-31101.yml",
"urls": [
"https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp",
"https://github.com/advisories/GHSA-2jx3-5j9v-prpp"
],
"uuid": "3a61fa06-f460-47f1-9bf8-b8e2c7b5bfb3"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:prestashop:blockwishlist:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.1.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31101"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "prestashop/blockwishlist is a prestashop extension which adds a block containing the customer\u0027s wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/PrestaShop/blockwishlist/security/advisories/GHSA-2jx3-5j9v-prpp"
},
{
"name": "https://github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/PrestaShop/blockwishlist/commit/b3ec4b85af5fd73f74d55390b226d221298ca084"
},
{
"name": "http://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.html",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/168003/Prestashop-Blockwishlist-2.1.0-SQL-Injection.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-12-09T16:09Z",
"publishedDate": "2022-06-27T23:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…