In the module “Axepta” (axepta) from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc without restriction.

Summary

  • CVE ID: CVE-2024-34991
  • Published at: 2024-06-20
  • Platform: PrestaShop
  • Product: axepta
  • Impacted release: <= 1.3.3 (1.3.4 fixed the vulnerability)
  • Product author: Quadra Informatique
  • Weakness: CWE-359
  • Severity: high (7.5), GDPR violation

Description

Due to a lack of permission control, a guest can access debug log from the module which can lead to leak of personal information such as partial credit card information (expiry date), postal address, email, etc which are encoded in base64.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: none
  • Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

  • Steal personal data

Timeline

Date Action
2023-08-25 Issue discovered during a code review by TouchWeb.fr
2023-08-25 Contact Author to confirm versions scope by author
2023-08-28 Author confirms the leak
2023-08-28 Author provides a patch (confirmed on 2024-05-06)
2024-05-06 Author confirms versions scope
2024-05-15 Received CVE ID
2024-06-18 Publish this security advisory

Other recommendations

  • It’s recommended to upgrade to the latest version of the module axepta.
  • You should restrict access to this URI pattern : modules/axepta/log/ to a given whitelist