What is CVE-2020-26248?

CVE-2020-26248 is a medium-severity vulnerability in Prestashop Productcomments, classified under SQL Injection. CVSS score: 6.8/10. Published 2020-12-03.

How severe is CVE-2020-26248?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Is CVE-2020-26248 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in Prestashop Productcomments

CVE-2020-26248

In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.

Vulnerability class: SQL Injection

EPSS: 0.774 (99.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H.

Affected products

Prestashop Productcomments — versions >= 4.0.0, < 4.2.1

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

References

github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9 (x_refsource_CONFIRM)
packagist.org/packages/prestashop/productcomments (x_refsource_MISC)
github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301c… (x_refsource_MISC)
github.com/PrestaShop/productcomments/releases/tag/v4.2.1 (x_refsource_MISC)
packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injec… (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-26248?: CVE-2020-26248 is a medium-severity vulnerability in Prestashop Productcomments, classified under SQL Injection. CVSS score: 6.8/10. Published 2020-12-03.
How severe is CVE-2020-26248?: Medium severity. CVSS v3 base score is 6.8 out of 10.
Is CVE-2020-26248 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.