CVE-2024-36682
📋 TL;DR
This vulnerability in the pk_themesettings module for PrestaShop allows unauthenticated guests to download a text file containing email addresses collected during maintenance mode. It affects PrestaShop stores using the vulnerable module version, leading to potential personal data exposure.
💻 Affected Systems
- PrestaShop pk_themesettings module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass exposure of customer email addresses and potential GDPR violations with regulatory fines and reputational damage.
Likely Case
Unauthorized access to email addresses collected during maintenance periods, enabling spam or phishing campaigns.
If Mitigated
No data exposure if module is patched or maintenance mode email collection is disabled.
🎯 Exploit Status
Simple direct file access without authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.9 or later
Vendor Advisory: https://security.friendsofpresta.org/modules/2024/06/20/pk_themesettings.html
Restart Required: No
Instructions:
1. Update pk_themesettings module to version 1.8.9 or later via PrestaShop admin panel. 2. Verify module update completes successfully. 3. Clear PrestaShop cache.
🔧 Temporary Workarounds
Disable maintenance mode email collection
allTemporarily disable the email collection feature in theme settings while in maintenance mode.
Restrict access to maintenance files
linuxAdd .htaccess rules to block access to maintenance-related files.
Order Deny,Allow
Deny from all
🧯 If You Can't Patch
- Disable the pk_themesettings module entirely until patched
- Implement web application firewall rules to block access to maintenance email files
🔍 How to Verify
Check if Vulnerable:
Check module version in PrestaShop admin panel under Modules > Module Manager > pk_themesettings.Check Version:
Not applicable - check via PrestaShop admin interfaceVerify Fix Applied:
Confirm module version is 1.8.9 or later and test that maintenance email file is no longer accessible without authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual access to maintenance-related files by unauthenticated users
- Multiple requests to email collection endpoints
Network Indicators:
- HTTP GET requests to maintenance email file paths from unauthenticated sources
SIEM Query:
source="web_logs" AND (uri_path="/modules/pk_themesettings/*email*" OR uri_path="*maintenance*email*") AND http_status=200 AND user_agent NOT CONTAINS authenticated