CVE-2023-46352
📋 TL;DR
This vulnerability allows unauthenticated guests to download customer personal information from PrestaShop stores using the vulnerable Facebook conversion tracking module. Attackers can access names, surnames, and email addresses from the ps_customer table without any authentication. All PrestaShop stores using the affected module versions are at risk.
💻 Affected Systems
- Pixel Plus: Events + CAPI + Pixel Catalog for Facebook Module (facebookconversiontrackingplus)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of all customer PII including names and email addresses, leading to data breach notifications, regulatory fines, and reputational damage.
Likely Case
Targeted harvesting of customer email addresses for spam/phishing campaigns or sale on dark web markets.
If Mitigated
No data exposure if module is patched or removed, or if access controls are properly implemented.
🎯 Exploit Status
The vulnerability is simple to exploit - attackers only need to access specific module export endpoints without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.5.0 or later
Vendor Advisory: https://addons.prestashop.com/en/analytics-statistics/18739-pixel-plus-events-capi-pixel-catalog-for-facebook.html
Restart Required: No
Instructions:
1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find 'Pixel Plus: Events + CAPI + Pixel Catalog for Facebook'. 4. Update to version 2.5.0 or later. 5. Clear PrestaShop cache.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the module until patching is possible
Restrict module endpoint access
linuxUse web server rules to block access to module export endpoints
# Apache .htaccess example
RewriteRule ^modules/facebookconversiontrackingplus/export - [F,L]
🧯 If You Can't Patch
- Disable the facebookconversiontrackingplus module immediately
- Implement WAF rules to block requests to module export endpoints
🔍 How to Verify
Check if Vulnerable:
Check module version in PrestaShop admin: Modules > Module Manager > find 'Pixel Plus: Events + CAPI + Pixel Catalog for Facebook'Check Version:
No CLI command - check via PrestaShop admin interfaceVerify Fix Applied:
Confirm module version is 2.5.0 or higher in module manager📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /modules/facebookconversiontrackingplus/export endpoints from unauthenticated users
- Unusual download patterns of customer data exports
Network Indicators:
- HTTP GET requests to module export endpoints without authentication headers
SIEM Query:
web_access_logs | where url contains "/modules/facebookconversiontrackingplus/export" and user_agent not contains "admin"🔗 References
- https://addons.prestashop.com/en/analytics-statistics/18739-pixel-plus-events-capi-pixel-catalog-for-facebook.html
- https://security.friendsofpresta.org/modules/2023/10/31/facebookconversiontrackingplus.html
- https://addons.prestashop.com/en/analytics-statistics/18739-pixel-plus-events-capi-pixel-catalog-for-facebook.html
- https://security.friendsofpresta.org/modules/2023/10/31/facebookconversiontrackingplus.html
