CVE-2023-48926 in Advanced Loyalty Programinfo

Summary

by MITRE • 01/16/2024

An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/02/2025

The vulnerability identified as CVE-2023-48926 affects the 202 ecommerce Advanced Loyalty Program module for PrestaShop versions prior to v2.3.4. This security flaw represents a critical authorization bypass issue that undermines the integrity of order processing within the e-commerce platform. The vulnerability stems from insufficient input validation and access control mechanisms within the module's order status management functionality, creating a pathway for unauthorized modifications to customer orders.

This technical flaw manifests as a lack of proper authentication checks when processing order status updates through the module's administrative interfaces. Attackers can exploit this weakness by crafting malicious requests that manipulate order status parameters without requiring valid credentials or authorization tokens. The vulnerability specifically targets the module's API endpoints or administrative functions that handle order modifications, allowing unauthorized parties to change order states from pending to shipped, paid, or any other status regardless of their actual transaction status.

The operational impact of this vulnerability extends beyond simple order manipulation and represents a significant threat to e-commerce business integrity and customer trust. Unauthenticated attackers can potentially alter order statuses to facilitate fraud, manipulate inventory tracking, or create discrepancies in financial reporting. This vulnerability directly affects the module's ability to maintain accurate order records and can lead to revenue loss, inventory mismanagement, and potential legal complications. The flaw particularly impacts businesses relying on the loyalty program module for customer engagement and reward systems, as compromised order statuses can invalidate loyalty point calculations and reward distributions.

From a cybersecurity perspective, this vulnerability aligns with CWE-285 which addresses insufficient authorization issues in software systems. The flaw demonstrates poor input validation practices and inadequate session management that violates fundamental security principles. Organizations using PrestaShop with this module face potential exploitation through automated scanning tools or manual attack vectors targeting the specific API endpoints. The vulnerability also maps to ATT&CK technique T1078.004 which covers valid accounts used for unauthorized access, as attackers can leverage the module's legitimate functionality without proper authentication.

The recommended mitigation strategy involves immediate upgrading to version 2.3.4 or later of the 202 ecommerce Advanced Loyalty Program module where the authorization bypass has been addressed. Organizations should also implement network-level restrictions to limit access to administrative endpoints and consider implementing additional monitoring for unauthorized order status changes. Security teams should review existing access controls and ensure that proper authentication mechanisms are enforced for all administrative functions within the PrestaShop platform. Regular vulnerability assessments and security audits should be conducted to identify similar authorization flaws in other third-party modules and custom code implementations.

Reservation

11/20/2023

Disclosure

01/16/2024

Moderation

accepted

CPE

ready

EPSS

0.00346

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!