CVE-2023-46346 in Product Catalog Export Pro Module
Summary
by MITRE • 10/25/2023
In the module "Product Catalog (CSV, Excel, XML) Export PRO" (exportproducts) in versions up to 4.1.1 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control and a lack of control in the path name construction, a guest can perform a path traversal to view all files on the information system.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/15/2026
The vulnerability CVE-2023-46346 affects the Product Catalog export module from MyPrestaModules for PrestaShop, specifically versions up to 4.1.1. This represents a critical security flaw that allows unauthenticated attackers to access sensitive personal information through a path traversal attack. The module's design lacks proper input validation and access control mechanisms, creating an exploitable condition that fundamentally undermines the system's security posture. The vulnerability exists within the exportproducts module's file handling functionality, where user-supplied input is not properly sanitized before being used in file path construction operations.
The technical flaw manifests through insufficient validation of file path parameters within the module's code implementation. When a guest user submits a request to export product catalog data, the system accepts user input without proper sanitization or authorization checks. This creates a path traversal condition where malicious input can manipulate the file system path to access directories and files outside the intended scope. The vulnerability is classified as CWE-22 Path Traversal and directly relates to improper input validation and inadequate access controls. Attackers can construct malicious file paths that traverse up the directory structure using sequences like "../" or similar path manipulation techniques to access files that should remain restricted.
The operational impact of this vulnerability is severe and far-reaching for any PrestaShop installation using the affected module. A guest user can potentially access all files on the information system, including sensitive personal data, configuration files, database credentials, and other confidential information stored on the server. This creates a comprehensive data breach scenario where attackers can extract personal information of customers, administrative credentials, and system configuration details that could lead to further exploitation. The vulnerability essentially provides an unrestricted file access mechanism that bypasses all normal authentication and authorization controls, making it particularly dangerous for e-commerce platforms handling sensitive customer data. The lack of permission controls means that any user, regardless of authentication status, can exploit this vulnerability to access restricted system resources.
Mitigation strategies for CVE-2023-46346 should include immediate patching of the affected module to version 4.1.2 or later, which contains the necessary security fixes. Organizations should implement proper input validation and sanitization for all user-supplied data, particularly when constructing file paths or handling file operations. The implementation of proper access controls and authorization checks should be enforced before any file access operations occur. Additionally, the principle of least privilege should be applied to restrict file system access to only necessary operations, and directory traversal attack prevention mechanisms should be deployed. System administrators should conduct thorough security audits of all installed modules and ensure that proper file permissions are configured to prevent unauthorized access. The vulnerability aligns with ATT&CK technique T1078 Valid Accounts and T1566 Phishing, as it can lead to credential theft and unauthorized access to system resources. Organizations should also implement monitoring and logging for unusual file access patterns and ensure that all PrestaShop installations are kept up to date with the latest security patches to prevent similar vulnerabilities from being exploited.