In the module “Newsletter Popup PRO with Voucher/Coupon code” (newsletterpop) before version 2.6.1 from Active Design for PrestaShop, a guest can perform SQL injection in affected versions. The method NewsletterpopsendVerificationModuleFrontController::checkEmailSubscription()
has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
[
{
"cpes": [
"cpe:2.3:a:prestashop:newsletter_popup_pro:*:*:*:*:*:*:*:*"
],
"vendor": "prestashop",
"product": "newsletter_popup_pro",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "2.61",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]