CVE-2020-15160 – CVE-2020-15160 is a blind SQL injection vulnera... (How to Fix)

Q: What is the severity of CVE-2020-15160?

CVE-2020-15160 has a CVSS score of 9.8 (CRITICAL). CVE-2020-15160 is a blind SQL injection vulnerability in PrestaShop's Catalog Product edition page that allows attackers to execute arbitrary SQL commands. This affects PrestaShop versions 1.7.5.0 through 1.7.6.7. Attackers can potentially extract, modify, or delete database content including sensitive customer and administrative data.

📋 TL;DR

CVE-2020-15160 is a blind SQL injection vulnerability in PrestaShop's Catalog Product edition page that allows attackers to execute arbitrary SQL commands. This affects PrestaShop versions 1.7.5.0 through 1.7.6.7. Attackers can potentially extract, modify, or delete database content including sensitive customer and administrative data.

💻 Affected Systems

Products:

PrestaShop

Versions: 1.7.5.0 through 1.7.6.7

Operating Systems: All platforms running PrestaShop (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the Catalog Product edition page, which typically requires administrative privileges, but could be exploited via stolen credentials or other access vectors.

📦 What is this software?

Prestashop by Prestashop

View all CVEs affecting Prestashop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to remote code execution.

🟠

Likely Case

Extraction of sensitive customer data (emails, addresses, payment info), administrative credentials, or manipulation of product/category data.

🟢

If Mitigated

Limited impact if database permissions are properly restricted and web application firewall blocks SQL injection patterns.

🌐 Internet-Facing: HIGH - PrestaShop is typically deployed as an internet-facing e-commerce platform, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Lower risk if deployed internally only, but still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires administrative access to the Catalog Product edition page. Public proof-of-concept demonstrates the SQL injection technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.6.8

Vendor Advisory: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g

Restart Required: No

Instructions:

1. Backup your PrestaShop installation and database. 2. Download PrestaShop 1.7.6.8 or later from the official repository. 3. Replace affected files with patched versions. 4. Clear cache and verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation for the location parameter in the Catalog Product edition page to reject SQL injection patterns.

Modify affected PHP files to sanitize location parameter input using prepared statements or parameterized queries

Web Application Firewall

all

Deploy a WAF with SQL injection protection rules to block exploitation attempts.

Configure WAF to block SQL injection patterns in POST/GET parameters

🧯 If You Can't Patch

Restrict access to the Catalog Product edition page using IP whitelisting or additional authentication layers.
Implement database-level controls: use least privilege accounts, enable query logging, and restrict database user permissions.

🔍 How to Verify

Check if Vulnerable:

Check PrestaShop version in admin panel or via file inspection. Versions 1.7.5.0 through 1.7.6.7 are vulnerable.

Check Version:

Check /app/config/parameters.php or admin dashboard for version information.

Verify Fix Applied:

Verify version is 1.7.6.8 or later. Test the Catalog Product edition page functionality with SQL injection test patterns.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin panel followed by Catalog Product page access
Unexpected location parameter values in web server logs

Network Indicators:

HTTP requests to Catalog Product page with SQL injection patterns in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_server" AND (uri="/admin*" AND (param="location" AND value MATCH "[';]|UNION|SELECT"))

📊 Metadata

CVE ID: CVE-2020-15160

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: September 24, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162140/PrestaShop-1.7.6.7-SQL-Injection.html Third Party Advisory,VDB Entry
https://github.com/PrestaShop/PrestaShop/commit/3fa0dfa5a8f4b149c7c90b948a12b4f5999a5ef8 Patch,Third Party Advisory
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 Third Party Advisory
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g Third Party Advisory
http://packetstormsecurity.com/files/162140/PrestaShop-1.7.6.7-SQL-Injection.html Third Party Advisory,VDB Entry
https://github.com/PrestaShop/PrestaShop/commit/3fa0dfa5a8f4b149c7c90b948a12b4f5999a5ef8 Patch,Third Party Advisory
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 Third Party Advisory
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15160, you might also want to check these: