CVE-2023-45380

Published: Nov 7, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address.

Affected (1)

Products: Silbersaiten: Order Duplicator

1 product

Order Duplicator

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Silbersaiten Order Duplicator	Before 1.1.8

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://security.friendsofpresta.org/modules/2023/11/07/orderduplicate.html

Source: cve@mitre.org

Third Party Advisory

https://security.friendsofpresta.org/modules/2023/11/07/orderduplicate.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.