This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: PrestaShop 1.7.7.0 suffers from a **Time-based Boolean SQL Injection** vulnerability.β¦
π’ **Affected Vendor**: PrestaShop (US-based e-commerce solution). π¦ **Affected Product**: PrestaShop **1.7.7.0**. π **Published**: Jan 20, 2021. Any instance running this specific version is at risk.
Q4What can hackers do? (Privileges/Data)
π» **Attacker Capabilities**: Hackers can perform **unauthorized administrative operations** and **modify data**. π **Data Access**: They can obtain **sensitive information** from the backend database.β¦
π₯ **Public Exploit**: **YES**. A Proof of Concept (PoC) is available on **Exploit-DB** (ID: 49410) and via **Nuclei Templates** (ProjectDiscovery). Wild exploitation is possible using these public tools.
Q7How to self-check? (Features/Scanning)
π **Self-Check Method**: Scan for the specific parameter combination: `module=productcomments` + `controller=CommentGrade` + `id_products[]`. Use SQL injection scanners (like Nuclei) targeting PrestaShop 1.7.7.0.β¦
π§ **No Patch Workaround**: If patching is delayed, **WAF (Web Application Firewall)** rules should be configured to block requests containing SQL injection patterns in the `id_products[]` parameter.β¦
π₯ **Urgency**: **HIGH**. Since public exploits and PoCs are available, and the impact involves sensitive data theft and admin privilege escalation, immediate action is required. Do not ignore this CVE.