CVE-2021-37538

Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller.
References
Link Resource
https://blog.sorcery.ie/posts/smartblog_sqli/ Exploit Third Party Advisory
https://classydevs.com/free-modules/smartblog/ Product Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:smartdatasoft:smartblog:*:*:*:*:*:prestashop:*:*

History

No history.

Information

Published : 2021-08-24 13:15

Updated : 2024-02-28 18:28


NVD link : CVE-2021-37538

Mitre link : CVE-2021-37538

CVE.ORG link : CVE-2021-37538


JSON object : View

Products Affected

smartdatasoft

  • smartblog
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')