[CVE-2023-48926] Insecure Direct Object Reference in Advanced Loyalty Program: Loyalty Points module for PrestaShop

PrestaShop Security Advisory

In the module “Advanced Loyalty Program: Loyalty Points” (totloyaltyadvanced) from 2.3.3 to version 2.3.4 from 202 ecommerce for PrestaShop, a guest can change an order status.


  • CVE ID: CVE-2023-48926
  • Published at: 2024-01-09
  • Platform: PrestaShop
  • Product: totloyaltyadvanced
  • Advisory source: 202 ecommerce
  • Impacted release: >=2.3.3 and <2.3.4 (2.3.4 fix the issue)
  • Product author: 202 ecommerce
  • Weakness: CWE-639
  • Severity: high (7.5)


The orderstatus front controller suffers from a logical weakness.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: none
  • Integrity: high
  • Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

  • Confirm an unpaid cart


Remove file controllers/front/orderstatus.php


2023-10-22Issue discovered during a code review by TouchWeb.fr
2023-10-22Contact Author to confirm version scope by author
2023-11-09Publish a new release on addons
2023-11-15Request a CVE ID
2024-01-09Publish this advisory