In the module “CSV Feeds PRO” (csvfeeds) up to version 2.5.2 from Bl Modules for PrestaShop, a guest can download personal information without restriction if the administrator do not force password on feeds.

Summary

  • CVE ID: CVE-2023-46355
  • Published at: 2023-11-23
  • Platform: PrestaShop
  • Product: csvfeeds
  • Impacted release: <= 2.5.2 (2.6.1 should fix the vulnerability)
  • Product author: Bl Modules
  • Weakness: CWE-359
  • Severity: high (7.5), GDPR violation

Description

Due to too permissive access control which do not force administrator to use password on feeds, a guest can access exports from the module which can lead to leak of personal information from ps_customer / ps_order table such as name / surname / email / phone number / postal address.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: low
  • Availability: low

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

  • Steal personal data

Timeline

Date Action
2023-08-27 Issue discovered during a code review by TouchWeb.fr
2023-08-27 Contact PrestaShop Addons security Team to confirm version scope by author
2023-08-29 PrestaShop Addons security Team confirm versions scope
2023-09-18 Author provide a patch
2023-10-17 Request a CVE ID
2023-10-23 Received CVE ID
2023-11-23 Publish this security advisory

Other recommendations

  • You should restrict access to this URI pattern : modules/csvfeeds/api/ and its associated front controller to a given whitelist