CVE-2020-21809: 
PHP vulnerability analysis and mitigation

SQL Injection vulnerability affects NukeViet CMS module Shops versions 4.0.29 and 4.3 through multiple parameters: (1) listid parameter in detail.php and (2) groupprice or groupid parameters in searchresult.php. The vulnerability was discovered in December 2019 and received a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

The vulnerability is classified as CWE-89 (SQL Injection) and allows attackers to manipulate SQL queries through unvalidated input parameters. The affected parameters include listid in detail.php and groupprice/groupid in searchresult.php. The vulnerability received a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The SQL injection vulnerability allows attackers to execute arbitrary SQL commands within the application database. This could potentially lead to unauthorized access to sensitive data, modification of database contents, and in some cases, remote code execution capabilities (WhiteHub, WhiteHub).

Patches have been released to address the vulnerability. Site administrators are advised to update to the patched versions immediately. For NukeViet 4.0 Official (4.0.29) and NukeViet 4.3, specific security patches are available through the official channels. The fixes include proper input validation and sanitization of the affected parameters (NukeViet Advisory).