Eval Injection in PrestaShop - CVE-2022-31181

 

Eval Injection in PrestaShop - CVE-2022-31181

Published: July 25, 2022 / Updated: May 4, 2026


Vulnerability identifier: #VU129570
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2022-31181
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: PrestaShop SA
Affected software:
PrestaShop

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the MySQL Smarty cache feature when processing data influenced by an SQL injection. A remote attacker can exploit an SQL injection to inject code into dynamically evaluated content to execute arbitrary code.

Exploitation is possible only if the shop is also vulnerable to an SQL injection.


How to mitigate CVE-2022-31181

Install security update from vendor's website.

Sources