In the module “Order Duplicator – Clone and Delete Existing Order” (orderduplicate) in versions up to 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction.
- CVE ID: CVE-2023-45380
- Published at: 2023-11-07
- Platform: PrestaShop
- Product: orderduplicate
- Impacted release: <= 1.1.7 (1.1.8 fixed the vulnerability)
- Product author: Silbersaiten
- Weakness: CWE-359 CWE-639
- Severity: medium (7.5), GDPR violation
Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address.
Be warned that this is not the only IDOR available in this module, patch it quickly.
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: none
- Scope: unchanged
- Confidentiality: high
- Integrity: none
- Availability: none
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Possible malicious usage
- Steal personal data
- Delete data
- You should restrict access to this URI pattern : modules/orderduplicate/ to a given whitelist
|2023-07-03||Issue discovered during a code review by TouchWeb.fr|
|2023-07-03||Contact PrestaShop Addons security Team to confirm version scope by author|
|2023-07-11||PrestaShop Addons security Team confirms versions scope|
|2023-10-08||Request a CVE ID|
|2023-10-11||Received CVE ID|
|2023-11-07||Publish this security advisory|
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.