VYPR
← All advisories
Critical severityNVD Advisory· Published Jul 29, 2021· Updated Aug 4, 2024

CVE-2020-21809

CVE-2020-21809

Description

SQL Injection vulnerability in NukeViet CMS module Shops 4.0.29 and 4.3 via the (1) listid parameter in detail.php and the (2) group_price or groupid parameters in search_result.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in NukeViet CMS Shops module allows unauthenticated attackers to execute arbitrary SQL commands via crafted parameters in detail.php and search_result.php.

Vulnerability

SQL injection exists in NukeViet CMS module Shops versions 4.0.29 and 4.3 [1][2]. The vulnerability is present in detail.php via the listid parameter and in search_result.php via the group_price or groupid parameters. The application fails to sanitize user input before using it in SQL queries, allowing an attacker to inject malicious SQL statements.

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable pages with malicious input in the listid, group_price, or groupid parameters. No authentication is required if the pages are publicly accessible. The attacker can manipulate the parameters to break out of the intended SQL query structure [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive data, modification or deletion of database contents, and possible further compromise of the server [2]. The attacker gains the ability to read or write to the database, potentially affecting all data managed by the module.

Mitigation

The fix is available in the commit [1] and in official update packages for NukeViet 4.0.29, 4.1.02, 4.2.01, and 4.3 [4]. Users should update their NukeViet core and Shops module to the latest versions. If immediate update is not possible, input validation should be implemented manually as shown in the commit, where explode values are cast to integers [1].

References
  1. Security fixes · nukeviet/module-shops@742c0e0
  2. NVD - CVE-2020-21809
  3. Hướng dẫn fix lỗi bảo mật NukeViet 4 và module shops

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nukeviet/nukevietPackagist
>= 4.0, < 4.0.294.0.29
nukeviet/nukevietPackagist
>= 4.1, < 4.1.024.1.02
nukeviet/nukevietPackagist
>= 4.2, < 4.2.014.2.01

Affected products

2

Patches

1
742c0e0f7436

Security fixes

https://github.com/nukeviet/module-shopsVINADES.,JSCDec 23, 2019via ghsa
commit
2 files changed · +27 27
  • modules/shops/funcs/detail.php+26 26 modified
    @@ -16,9 +16,9 @@
     $id_pro = $nv_Request->get_int('id_pro', 'post', 0);
     $unit = $nv_Request->get_string('pro_unit', 'post', '');
     $listid = $nv_Request->get_string('listid', 'post');
-    $listid = explode(',', $listid);
+    $listid = array_map('intval', explode(',', $listid));
     asort($listid);
-    
+
     $quantity = $db->query('SELECT quantity FROM ' . $db_config['prefix'] . '_' . $module_data . '_group_quantity WHERE pro_id = ' . $id_pro . ' AND listgroup="' . implode(',', $listid) . '"')->fetchColumn();
     if (empty($quantity)) {
         $sum = 0;
@@ -32,7 +32,7 @@
                 }
             }
         }
-        
+
         $result = $db->query('SELECT listgroup, quantity FROM ' . $db_config['prefix'] . '_' . $module_data . '_group_quantity WHERE pro_id = ' . $id_pro);
         while (list ($listgroup, $quantity) = $result->fetch(3)) {
             $listgroup = explode(',', $listgroup);
@@ -46,7 +46,7 @@
                 $sum += $quantity;
             }
         }
-        
+
         if ($sum == 0 or $count == sizeof($listid)) {
             die('NO_0_' . $lang_module['product_empty']);
         } else {
@@ -90,14 +90,14 @@
                 $array_tmp[$row['field']] = unserialize($row['language']);
             }
         }
-        
+
         if (!empty($listfield)) {
             $result = $db->query('SELECT t1.field_value, t2.field FROM ' . $db_config['prefix'] . "_" . $module_data . "_field_value_" . NV_LANG_DATA . ' t1 INNER JOIN ' . $db_config['prefix'] . '_' . $module_data . '_field t2 WHERE t1.field_id=t2.fid AND t1.rows_id=' . $id);
             $data_content['template'] = $global_array_shops_cat[$data_content['listcatid']]['form'];
             while ($row = $result->fetch()) {
                 $data_content['array_custom'][$row['field']] = $row['field_value'];
             }
-            
+
             if (!empty($array_tmp)) {
                 foreach ($array_tmp as $f_key => $field) {
                     foreach ($field as $key_lang => $lang_data) {
@@ -117,31 +117,31 @@
 
 if (nv_user_in_groups($global_array_shops_cat[$catid]['groups_view'])) {
     $popup = $nv_Request->get_int('popup', 'post,get', 0);
-    
+
     $time_set = $nv_Request->get_int($module_data . '_' . $op . '_' . $id, 'session');
     if (empty($time_set)) {
         $nv_Request->set_Session($module_data . '_' . $op . '_' . $id, NV_CURRENTTIME);
         $sql = 'UPDATE ' . $db_config['prefix'] . '_' . $module_data . '_rows SET hitstotal=hitstotal+1 WHERE id=' . $id;
         $db->query($sql);
     }
-    
+
     $catid = $data_content['listcatid'];
     $base_url_rewrite = nv_url_rewrite(NV_BASE_SITEURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&amp;' . NV_NAME_VARIABLE . '=' . $module_name . '&amp;' . NV_OP_VARIABLE . '=' . $global_array_shops_cat[$catid]['alias'] . '/' . $data_content[NV_LANG_DATA . '_alias'] . $global_config['rewrite_exturl'], true);
-    
+
     if ($_SERVER['REQUEST_URI'] != $base_url_rewrite and !$popup) {
         Header('Location: ' . $base_url_rewrite);
         die();
     }
-    
+
     // Lay don vi san pham
     $sql = $db->query('SELECT * FROM ' . $db_config['prefix'] . '_' . $module_data . '_units WHERE id = ' . $data_content['product_unit']);
     $data_unit = $sql->fetch();
     $data_unit['title'] = $data_unit[NV_LANG_DATA . '_title'];
-    
+
     // Hien thi tabs
     $sql = 'SELECT * FROM ' . $db_config['prefix'] . '_' . $module_data . '_tabs where active=1 ORDER BY weight ASC';
     $data_content['tabs'] = $nv_Cache->db($sql, 'id', $module_name);
-    
+
     $data_content['files'] = array();
     if (!empty($data_content['tabs'])) {
         // Download tai lieu san pham
@@ -153,7 +153,7 @@
             }
         }
     }
-    
+
     // Danh gia - Phan hoi
     $rating_total = 0;
     $result = $db->query('SELECT rating FROM ' . $db_config['prefix'] . '_' . $module_data . '_review WHERE product_id = ' . $data_content['id'] . ' AND status=1');
@@ -166,7 +166,7 @@
     $data_content['rating_total'] = $rating_count;
     $data_content['rating_point'] = $rating_total;
     $data_content['rating_value'] = $rating_count > 0 ? round($rating_total / $rating_count) : 0;
-    
+
     // Xac dinh anh lon
     $homeimgfile = $data_content['homeimgfile'];
     if ($data_content['homeimgthumb'] == 1) {
@@ -183,7 +183,7 @@
         // no image
         $data_content['homeimgthumb'] = NV_BASE_SITEURL . 'themes/' . $module_info['template'] . '/images/' . $module_file . '/no-image.jpg';
     }
-    
+
     // Tu khoa
     $array_keyword = array();
     $key_words = array();
@@ -193,10 +193,10 @@
         $key_words[] = $row['keyword'];
     }
     $key_words = !empty($key_words) ? implode(',', $key_words) : '';
-    
+
     // metatag image facebook
     $meta_property['og:image'] = NV_MY_DOMAIN . $data_content['homeimgfile'];
-    
+
     // Fetch Limit
     $db->sqlreset()
         ->select(' id, listcatid, ' . NV_LANG_DATA . '_title, ' . NV_LANG_DATA . '_alias, homeimgfile, homeimgthumb, addtime, publtime, product_code, product_number, product_price, price_config, money_unit, discount_id, showprice, ' . NV_LANG_DATA . '_hometext,' . NV_LANG_DATA . '_gift_content, gift_from, gift_to')
@@ -205,7 +205,7 @@
         ->order('ID DESC')
         ->limit($pro_config['per_row'] * 2);
     $result = $db->query($db->sql());
-    
+
     $data_others = array();
     while (list ($_id, $listcatid, $title, $alias, $homeimgfile, $homeimgthumb, $addtime, $publtime, $product_code, $product_number, $product_price, $price_config, $money_unit, $discount_id, $showprice, $hometext, $gift_content, $gift_from, $gift_to) = $result->fetch(3)) {
         if ($homeimgthumb == 1) {
@@ -221,7 +221,7 @@
             // no image
             $thumb = NV_BASE_SITEURL . 'themes/' . $module_info['template'] . '/images/' . $module_file . '/no-image.jpg';
         }
-        
+
         $data_others[] = array(
             'id' => $_id,
             'listcatid' => $listcatid,
@@ -246,7 +246,7 @@
             'link_order' => NV_BASE_SITEURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&amp;' . NV_NAME_VARIABLE . '=' . $module_name . '&amp;' . NV_OP_VARIABLE . '=setcart&amp;id=' . $_id
         );
     }
-    
+
     $array_other_view = array();
     if (!empty($_SESSION[$module_data . '_proview'])) {
         $arrid = array();
@@ -279,7 +279,7 @@
                     // no image
                     $thumb = NV_BASE_SITEURL . 'themes/' . $module_info['template'] . '/images/' . $module_file . '/no-image.jpg';
                 }
-                
+
                 $array_other_view[] = array(
                     'id' => $_id,
                     'listcatid' => $listcatid,
@@ -305,9 +305,9 @@
             }
         }
     }
-    
+
     SetSessionProView($data_content['id'], $data_content[NV_LANG_DATA . '_title'], $data_content[NV_LANG_DATA . '_alias'], $data_content['addtime'], NV_BASE_SITEURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $global_array_shops_cat[$catid]['alias'] . '/' . $data_content[NV_LANG_DATA . '_alias'] . '-' . $data_content['id'], $data_content['homeimgthumb']);
-    
+
     // comment
     if (isset($site_mods['comment']) and isset($module_config[$module_name]['activecomm'])) {
         define('NV_COMM_ID', $data_content['id']); // ID bài viết hoặc
@@ -321,12 +321,12 @@
         require_once NV_ROOTDIR . '/modules/comment/comment.php';
         $area = (defined('NV_COMM_AREA')) ? NV_COMM_AREA : 0;
         $checkss = md5($module_name . '-' . $area . '-' . NV_COMM_ID . '-' . $allowed . '-' . NV_CACHE_PREFIX);
-        
+
         $content_comment = nv_comment_module($module_name, $checkss, $area, NV_COMM_ID, $allowed, 1);
     } else {
         $content_comment = '';
     }
-    
+
     $contents = detail_product($data_content, $data_unit, $data_others, $array_other_view, $content_comment, $compare_id, $popup, $idtemplate, $array_keyword);
 } else {
     $nv_redirect = NV_BASE_SITEURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&amp;' . NV_NAME_VARIABLE . '=' . $module_name;
@@ -339,4 +339,4 @@
     include NV_ROOTDIR . '/includes/header.php';
     echo nv_site_theme($contents);
     include NV_ROOTDIR . '/includes/footer.php';
-}
\ No newline at end of file
+}
  • modules/shops/funcs/search_result.php+1 1 modified
    @@ -38,7 +38,7 @@
     if (!empty($group_price)) {
         $search .= " AND";
         foreach ($group_price as $i => $group_price_i) {
-            $group_price_i = explode('-', $group_price_i);
+            $group_price_i = array_map('intval', explode('-', $group_price_i));
             if ($group_price_i[0] <= $group_price_i[1]) {
                 $search .= ($i > 0 ? " OR " : "") . " product_price BETWEEN " . $group_price_i[0] . " AND " . $group_price_i[1] . " ";
             } else {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.