SQLi in XIPBlog Prestashop Module CVE-2023-27847
This is a belated stub post about SQLi vulnerabilities I found in XIPBlog (a Prestashop modules developed by Xpert-Idea) back in 2021.
The technical details are available on the advisory here.
Timeline
| Date | Action |
|---|---|
| 22/06/2021 | Issue discovered during a pentest |
| 26/06/2021 | Submitted pull request on their Github repo |
| 09/02/2022 | Pull request accepted |
| 02/12/2022 | 202-ecommerce find the same vulnerability independently |
| 15/02/2023 | 202-ecommerce contact me offering to handle applying for CVE for this bug as I hadn’t done so |
| 15/02/2023 | Number CVE-2022-31101 assigned |
| 23/03/2023 | Vulnerability disclosed in Friends of Presta advisory |
| 03/08/2023 | Blog post released |