CVE-2023-46346 – This vulnerability allows unauthenticated attac... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform path traversal attacks in the 'Product Catalog Export PRO' module for PrestaShop. Attackers can access sensitive files containing personal information without any authentication. All PrestaShop installations using affected versions of this module are vulnerable.

💻 Affected Systems

Products:

Product Catalog (CSV, Excel, XML) Export PRO (exportproducts) module for PrestaShop

Versions: Up to and including version 4.1.1

Operating Systems: All operating systems running PrestaShop

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using the affected module versions are vulnerable by default. The vulnerability exists in the module itself, not in PrestaShop core.

📦 What is this software?

Exportproducts by Myprestamodules

View all CVEs affecting Exportproducts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through sensitive file disclosure including database credentials, configuration files, and customer personal data, potentially leading to data breach and regulatory penalties.

🟠

Likely Case

Unauthorized access to customer personal information, configuration files, and other sensitive data stored on the server.

🟢

If Mitigated

Limited impact with proper file permissions and web server configuration restricting access to sensitive directories.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and path traversal attacks are well-documented and easy to automate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.1.2 or later

Vendor Advisory: https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html

Restart Required: No

Instructions:

1. Log into PrestaShop admin panel
2. Navigate to Modules > Module Manager
3. Find 'Product Catalog Export PRO' module
4. Check current version
5. Update to version 4.1.2 or later
6. Clear PrestaShop cache

🔧 Temporary Workarounds

Disable module

all

Temporarily disable the vulnerable module until patching is possible

Navigate to PrestaShop admin > Modules > Module Manager > Find 'Product Catalog Export PRO' > Click Disable

Restrict file access via web server

all

Configure web server to block path traversal attempts

For Apache: Add 'AllowOverride None' and 'Deny from all' to sensitive directories in .htaccess
For Nginx: Add location blocks to restrict access to sensitive paths

🧯 If You Can't Patch

Remove the module completely from the PrestaShop installation
Implement web application firewall rules to block path traversal patterns in URLs

🔍 How to Verify

Check if Vulnerable:

Check module version in PrestaShop admin panel under Modules > Module Manager > Product Catalog Export PRO

Check Version:

Check PrestaShop admin panel or examine modules/exportproducts/exportproducts.php file version header

Verify Fix Applied:

Confirm module version is 4.1.2 or later and test that path traversal attempts are blocked

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' or '..\' patterns to exportproducts module endpoints
Unusual file access patterns from unauthenticated users

Network Indicators:

HTTP requests with path traversal payloads to /modules/exportproducts/ endpoints

SIEM Query:

web.url:*exportproducts* AND (web.url:*..%2F* OR web.url:*..%5C*)

📊 Metadata

CVE ID: CVE-2023-46346

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: October 25, 2023

Last Updated: November 21, 2024

🔗 References

https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html Third Party Advisory
https://security.friendsofpresta.org/modules/2023/10/24/exportproducts.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46346, you might also want to check these: