PrestaShop customexporter Path Traversal Vulnerability (CVE-2023-30199) Advisory

Key Information Summary Vulnerability Identifier CVE ID: CVE-2023-30199 Release Date: 2023-05-16 Affected Scope Platform: PrestaShop Product: customexporter Affected Versions: <= 1.7.20 (Fixed Version: 1.7.21) Product Author: Webbax Vulnerability Details Weakness Type: CWE-22 (Improper Restrictions on Pathname to Restricted Directory) Severity: High (7.5), GDPR Violation CVSS Score: - Base Vector: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: None - Availability: None Exploitation Risks Download personal data via path traversal without restrictions Steal secrets from admin controllers to unlock AJAX-based admin controllers Leak all modules and their versions to facilitate penetration testing Steal table_prefix to enable SQL injection, or steal database access to log into exposed PHPMyAdmin/Adminer, etc. Bypass WAF or .htaccess controls to read restricted files (e.g., logs in bank module internal/log/ paths) Remediation Measures Upgrade to the latest version of customexporter Restrict module access, limiting it to a whitelist Never expose PHPMyAdmin/Adminer unless at least .htpasswd is configured Adjust your WAF (Web Application Firewall) settings according to OWASP 930 rules to suit your PrestaShop environment Patch Code Example Timeline 2023-02-25: TouchWeb.fr discovered the vulnerability during code review 2023-04-24: Received CVE ID 2023-05-02: Released a new version with the fix 2023-05-16: Published this security advisory Warning This vulnerability has been exploited since March 30, 2023.

Goal Reached Thanks to every supporter — we hit 100%!

PrestaShop customexporter Path Traversal Vulnerability (CVE-2023-30199) Advisory