CVE-2023-45380 – This vulnerability in the PrestaShop 'Order Dup... (How to Fix)

Q: How do I fix CVE-2023-45380?

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Search for 'Order Duplicator'. 4. Click 'Upgrade' to version 1.1.8 or later. 5. Alternatively, download latest version from addons.prestashop.com and upload manually.

Q: What is the severity of CVE-2023-45380?

CVE-2023-45380 has a CVSS score of 8.8 (HIGH). This vulnerability in the PrestaShop 'Order Duplicator' module allows unauthenticated guests to download customer personal information including names, addresses, and phone numbers. It affects all PrestaShop installations using the vulnerable module version. The issue stems from insufficient access controls on data export functionality.

📋 TL;DR

This vulnerability in the PrestaShop 'Order Duplicator' module allows unauthenticated guests to download customer personal information including names, addresses, and phone numbers. It affects all PrestaShop installations using the vulnerable module version. The issue stems from insufficient access controls on data export functionality.

💻 Affected Systems

Products:

PrestaShop Order Duplicator module (orderduplicate)

Versions: <= 1.1.7

Operating Systems: All (module is PHP-based)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects PrestaShop installations with the vulnerable module installed and enabled.

📦 What is this software?

Order Duplicator by Silbersaiten

View all CVEs affecting Order Duplicator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass exfiltration of all customer PII (personally identifiable information) leading to identity theft, phishing campaigns, regulatory fines (GDPR/CCPA), and reputational damage.

🟠

Likely Case

Targeted harvesting of customer data for spam, social engineering, or sale on dark web markets.

🟢

If Mitigated

No data exposure with proper access controls or module removal.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable by unauthenticated guests accessing public-facing PrestaShop stores.

🏢 Internal Only: LOW - The module is typically deployed on customer-facing e-commerce sites, not internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires simple HTTP requests to specific endpoints without authentication. Public proof-of-concept details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.8 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/11/07/orderduplicate.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Search for 'Order Duplicator'. 4. Click 'Upgrade' to version 1.1.8 or later. 5. Alternatively, download latest version from addons.prestashop.com and upload manually.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the Order Duplicator module until patched.

Navigate to Modules > Module Manager in PrestaShop admin, find 'Order Duplicator', click 'Disable'

Remove module completely

all

Uninstall the vulnerable module if functionality is not required.

Navigate to Modules > Module Manager in PrestaShop admin, find 'Order Duplicator', click 'Uninstall'

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to the vulnerable module endpoints
Restrict access to the module's controller files via .htaccess or web server configuration

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Order Duplicator. If version is 1.1.7 or earlier, you are vulnerable.

Check Version:

No CLI command - check via PrestaShop admin interface or examine /modules/orderduplicate/orderduplicate.php file version header

Verify Fix Applied:

After update, verify module version shows 1.1.8 or later. Test that guest users cannot access customer data export functionality.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /modules/orderduplicate/export.php or similar export endpoints from unauthenticated users
Unusual download patterns of customer data files

Network Indicators:

GET/POST requests to module export endpoints without authentication cookies
Bursts of data downloads from customer data endpoints

SIEM Query:

web_access_logs | where url contains "/modules/orderduplicate/" and (user_agent not contains "bot" or is null) and status_code = 200 | where authenticated_user = "guest" or authenticated_user is null

📊 Metadata

CVE ID: CVE-2023-45380

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-639

Published: November 7, 2023

Last Updated: November 21, 2024

🔗 References

https://security.friendsofpresta.org/modules/2023/11/07/orderduplicate.html Third Party Advisory
https://security.friendsofpresta.org/modules/2023/11/07/orderduplicate.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45380, you might also want to check these: