Main Vulnerability Database Vulnerabilities #VU129570

Eval Injection in PrestaShop - CVE-2022-31181

Published: July 25, 2022 / Updated: May 4, 2026

Vulnerability identifier: #VU129570

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2022-31181

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PrestaShop

Software vendor:
PrestaShop SA

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the MySQL Smarty cache feature when processing data influenced by an SQL injection. A remote attacker can exploit an SQL injection to inject code into dynamically evaluated content to execute arbitrary code.

Exploitation is possible only if the shop is also vulnerable to an SQL injection.

Remediation

Install security update from vendor's website.

External links

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4

Eval Injection in PrestaShop - CVE-2022-31181

Description

Remediation

External links

Please verify you're human