CVE-2023-46355

Name of the Vulnerable Software and Affected Versions Bl Modules csvfeeds module for PrestaShop versions prior to 2.6.1

Description The issue allows a guest to download personal information without restriction due to too permissive access control. This lack of control does not force the administrator to use a password on feeds, enabling a guest to access exports from the module. As a result, personal information from the ps customer and ps order tables, such as name, surname, email, phone number, and postal address, can be leaked.

Recommendations For versions prior to 2.6.1, update the csvfeeds module to version 2.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the csvfeeds module to minimize the risk of exploitation.