CVE-2023-46346

In the module "Product Catalog (CSV, Excel, XML) Export PRO" (exportproducts) in versions up to 4.1.1 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control and a lack of control in the path name construction, a guest can perform a path traversal to view all files on the information system.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html	Third Party Advisory
https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:myprestamodules:exportproducts:*:*:*:*:*:prestashop:*:*

History

21 Nov 2024, 08:28

Type	Values Removed	Values Added
References	~~() https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html - Third Party Advisory~~	() https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html - Third Party Advisory

01 Nov 2023, 18:15

Type	Values Removed	Values Added
CWE		CWE-22
First Time		Myprestamodules Myprestamodules exportproducts
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html -~~	(MISC) https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html - Third Party Advisory
CPE		cpe:2.3:a:myprestamodules:exportproducts::::::prestashop::*

25 Oct 2023, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-25 18:17

Updated : 2024-11-21 08:28

NVD link : CVE-2023-46346

Mitre link : CVE-2023-46346

CVE.ORG link : CVE-2023-46346

JSON object : View

Products Affected

myprestamodules

exportproducts

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-46346", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-25T18:17:37.650", "references": [{"url": "https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "In the module \"Product Catalog (CSV, Excel, XML) Export PRO\" (exportproducts) in versions up to 4.1.1 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control and a lack of control in the path name construction, a guest can perform a path traversal to view all files on the information system."}, {"lang": "es", "value": "En el m\u00f3dulo \"Product Catalog (CSV, Excel, XML) Export PRO\" (exportar productos) en versiones hasta 4.1.1 de MyPrestaModules para PrestaShop, un invitado puede descargar informaci\u00f3n personal sin restricciones realizando un ataque de path traversal. Debido a la falta de control de permisos y a la falta de control en la construcci\u00f3n del nombre de la ruta, un invitado puede realizar un path traversal para ver todos los archivos en el sistema de informaci\u00f3n."}], "lastModified": "2024-11-21T08:28:19.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:myprestamodules:exportproducts:*:*:*:*:*:prestashop:*:*", "vulnerable": true, "matchCriteriaId": "6A5B745C-55DB-49D5-8125-5798242D1403", "versionEndExcluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}