[CVE-2023-46352] Exposure of Private Personal Information to an Unauthorized Actor in Smart Modules – Pixel Plus: Events + CAPI + Pixel Catalog for Facebook Module module for PrestaShop

PrestaShop Security Advisory

In the module “Pixel Plus: Events + CAPI + Pixel Catalog for Facebook Module” (facebookconversiontrackingplus) up to version 2.4.8 from Smart Modules for PrestaShop, a guest can download personal informations without restriction.

Summary

  • CVE ID: CVE-2023-46352
  • Published at: 2023-10-31
  • Platform: PrestaShop
  • Product: facebookconversiontrackingplus
  • Impacted release: <= 2.4.8 (2.4.9 fixed the vulnerability)
  • Product author: Smart Modules
  • Weakness: CWE-359
  • Severity: medium (7.5), GDPR violation

Description

Due to a lack of permissions control, a guest can access exports from the module which can lead to leak of personal informations from ps_customer table such as name / surname / email

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: none
  • Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

  • Steal personal data

Timeline

DateAction
2023-05-24Issue discovered during a code review by TouchWeb.fr
2023-05-24Contact PrestaShop Addons security Team to confirm version scope by author
2023-10-10PrestaShop Addons security Team confirm versions scope by author
2023-10-11Author provide patch
2023-10-17Request a CVE ID
2023-10-23Received CVE ID
2023-10-31Publish this security advisory

Other recommendations

  • It’s recommended to upgrade to the latest version of the module facebookconversiontrackingplus.
  • You should restrict access to this URI pattern : modules/facebookconversiontrackingplus/csv/ to a given whitelist
  • You should restrict access to .csv file to a given whitelist

READ MORE