In the module “SC Export Customers” (scexportcustomers), a guest can download personal information without restriction.

Summary

  • CVE ID: CVE-2023-30282
  • Published at: 2023-05-02
  • Platform: PrestaShop
  • Product: scexportcustomers
  • Impacted release: <= 3.6.1
  • Product author: Store Commander
  • Weakness: CWE-359
  • Severity: high (7.5), GDPR violation

Description

Due to a lack of permissions control, a guest can access exports from the module which can lead to leak of personal information from ps_customer table such as name / surname / email

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: none
  • Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

  • Steal personal data

Other recommendations

  • It’s recommended to delete the module if not used or contact Store Commander
  • You should restrict access to this URI pattern : modules/scexportcustomers/ to a given whitelist

Timeline

Date Action
2022-12-08 Issue discovered after a security audit by TouchWeb
2022-12-08 Contact Author
2022-12-12 Author provide patch
2023-03-30 Request a CVE ID
2023-04-27 Received CVE ID
2023-05-02 Publish this security advisory

Store Commander thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.