CVE-2022-36408: zero-day PrestaShop SQL injection vulnerability

On July 22, the open-source e-commerce solution PrestaShop released urgent patches for a critical flaw in its e-commerce platform, warning that the issue exposes online merchants to remote hacker attacks.

The security vulnerability tracked as CVE-2022-36408, which could be exploited remotely, is the result of a lack of proper validation of user-supplied input in SQL queries. As a result, an attacker could send crafted HTTP POST requests containing malicious SQL statements to affected applications, thus triggering the bug.

With nearly 300,000 sites already using its software across the globe, PrestaShop is the leading open-source ecommerce solution in Europe and Latin America. In 2020, PrestaShop sites generated more than 22 billion euros in online sales.

“The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information,” read the advisory.

CVE-2022-36408 affects versions 1.6.0.10 or greater and was fixed in version 1.7.8.7.

According to PrestaShop, “After the attackers successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.”

Users are urged to update their PrestaShop web application as soon as possible.