CVE-2023-46354

In the module "Orders (CSV, Excel) Export PRO" (ordersexport) < 5.2.0 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can access exports from the module which can lead to a leak of personal information from ps_customer/ps_address tables such as name / surname / email / phone number / full postal address.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://security.friendsofpresta.org/modules/2023/11/28/ordersexport.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:myprestamodules:orders_\(csv\,_excel\)_export_pro:*:*:*:*:*:prestashop:*:*

History

No history.

Information

Published : 2023-12-06 23:15

Updated : 2023-12-09 04:52

NVD link : CVE-2023-46354

Mitre link : CVE-2023-46354

CVE.ORG link : CVE-2023-46354

JSON object : View

Products Affected

myprestamodules

orders_\(csv\,_excel\)_export_pro

CWE

CWE-862

Missing Authorization

7.5 /10