CVE-2024-25840 in Account Manager Module
Summary
by MITRE • 02/27/2024
In the module "Account Manager | Sales Representative & Dealers | CRM" (prestasalesmanager) up to 9.0 from Presta World for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/23/2024
The vulnerability identified as CVE-2024-25840 resides within the PrestaShop module named "Account Manager | Sales Representative & Dealers | CRM" developed by Presta World. This module, version 9.0 and earlier, implements a critical security flaw that allows unauthenticated attackers to access sensitive personal information through a path traversal attack. The vulnerability specifically affects the module's file download functionality where proper input validation and access controls are absent, creating an exploitable condition that undermines the confidentiality of user data.
This security weakness represents a classic path traversal vulnerability that falls under the Common Weakness Enumeration category CWE-22, which describes improper limitation of a pathname to a restricted directory. The flaw enables attackers to manipulate file path parameters in such a way that they can traverse the file system and access files outside the intended directory structure. The module's design fails to properly sanitize user-supplied input that determines file paths, allowing malicious actors to craft requests that bypass normal access controls and retrieve unauthorized data.
The operational impact of this vulnerability is severe as it affects the core privacy and security aspects of any organization using this PrestaShop module. Guest users who can access the module's download functionality can exploit this flaw to obtain personal information belonging to other users, including customer data, sales representative details, and potentially sensitive business information. The vulnerability essentially creates a backdoor that allows unauthorized data exfiltration without requiring any authentication credentials, making it particularly dangerous for organizations handling customer privacy data.
The attack vector for this vulnerability is straightforward and requires minimal technical expertise to exploit. An attacker only needs to craft malicious requests that manipulate the file path parameters to traverse directories and access restricted files. This attack pattern aligns with the techniques documented in the MITRE ATT&CK framework under the T1078 credential access tactic, specifically targeting the exploitation of weak file access controls and path traversal vulnerabilities. The vulnerability's impact extends beyond simple data theft as it can lead to identity theft, unauthorized access to business operations, and potential compliance violations under data protection regulations such as GDPR.
Organizations using this module should immediately implement mitigations including input validation, proper access controls, and file path sanitization. The recommended approach involves implementing strict file path validation that prevents directory traversal attempts, enforcing authentication checks for all download operations, and restricting file access to authorized users only. Additionally, implementing proper logging and monitoring for suspicious file access patterns can help detect and respond to exploitation attempts. Regular security updates and patches from the module vendor should be applied immediately upon availability to address this vulnerability and prevent potential exploitation by threat actors.