[CVE-2023-30282] Exposure of Private Personal Information to an Unauthorized Actor in SC Export Customers module for PrestaShop
In the module “SC Export Customers” (scexportcustomers), a guest can download personnal informations without restriction.
Summary
- CVE ID: CVE-2023-30282
- Published at: 2023-05-02
- Platform: PrestaShop
- Product: scexportcustomers
- Impacted release: <= 3.6.1
- Product author: Store Commander
- Weakness: CWE-359
- Severity: high (7.5), GDPR violation
Description
Due to a lack of permissions’s control, a guest can access exports from the module which can lead to leak of personnal informations from ps_customer table sush as name / surname / email
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: none
- Scope: unchanged
- Confidentiality: high
- Integrity: none
- Availability: none
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Possible malicious usage
- Steal personnal datas
Other recommandations
- It’s recommended to delete the module if not used or contact Store Commander
- You should restrict access to this URI pattern : modules/scexportcustomers/ to a given whitelist
Timeline
| Date | Action |
|---|---|
| 2022-12-08 | Issue discovered after a security audit by TouchWeb |
| 2022-12-08 | Contact Author |
| 2022-12-12 | Author provide patch |
| 2023-03-30 | Request a CVE ID |
| 2023-04-27 | Received CVE ID |
| 2023-05-02 | Publish this security advisory |
Store Commander thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.