SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller.
References
Link | Resource |
---|---|
https://addons.prestashop.com/fr/inscription-processus-de-commande/6097-city-autocomplete.html | Product |
https://friends-of-presta.github.io/security-advisories/module/2023/06/01/cityautocomplete.html | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
History
12 Jun 2023, 13:58
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://addons.prestashop.com/fr/inscription-processus-de-commande/6097-city-autocomplete.html - Product | |
References | (MISC) https://friends-of-presta.github.io/security-advisories/module/2023/06/01/cityautocomplete.html - Exploit, Third Party Advisory | |
First Time |
Ebewe city Autocomplete
Ebewe Prestashop Prestashop prestashop |
|
CWE | CWE-89 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:ebewe:city_autocomplete:*:*:*:*:*:prestashop:*:* cpe:2.3:a:prestashop:prestashop:1.5.0.0:*:*:*:*:*:*:* cpe:2.3:a:prestashop:prestashop:1.6.0.0:*:*:*:*:*:*:* cpe:2.3:a:prestashop:prestashop:1.7.0.0:-:*:*:*:*:*:* |
02 Jun 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-02 15:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-30149
Mitre link : CVE-2023-30149
CVE.ORG link : CVE-2023-30149
JSON object : View
Products Affected
ebewe
- city_autocomplete
prestashop
- prestashop
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')