CVE-2020-21809
CRITICAL9.8EPSS 0.59%NukeViet SQL Injection vulnerability
Published: 5/24/2022Modified: 4/24/2024
Description
SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php. ### Fix Implementation: Download the update package corresponding to the NukeViet version you are using, extract and upload to hosting according to NukeViet's structure: For NukeViet 4.0 Official (4.0.29) For NukeViet 4.1 Official (4.1.02) For NukeViet 4.2 (4.2.01) As for NukeViet 4.3, you can update according to the notice in the admin page or see here: https://nukeviet.vn/vi/news/Tin-tuc/thong-bao-phat-hanh-nukeviet-4- 3-08-613.html
Affected packages (1)
- Packagist/nukeviet/nukeviet>= 4.0, < 4.0.29
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-21809
- PATCHhttps://github.com/nukeviet/nukeviet
- WEBhttps://github.com/nukeviet/module-shops/commit/742c0e0f74364f7250c2a69f0a957d4e6317be68
- WEBhttps://nukeviet.vn/vi/news/Tin-an-ninh/huong-dan-fix-loi-bao-mat-nukeviet-4-va-module-shops-612.html
- WEBhttps://whitehub.net/submissions/1517
- WEBhttps://whitehub.net/submissions/1518