Miggo Logo
Miggo Vulnerability Database
CVE-2024-34717

CVE-2024-34717:
Anonymous PrestaShop customer can download other customers' invoices

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-34717
GHSA ID
GHSA-7pjr-2rgh-fc5g
EPSS Score
0.59088%
CWE
CWE-200
Published
5/14/2024
Updated
5/14/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/prestashopcomposer= 8.1.58.1.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper access control in the invoice download endpoint. The key evidence is in the commit diff showing the security check was restructured from a single flawed conditional (that could be bypassed with any secure_key) to two separate checks. The postProcess method in PdfInvoiceController.php directly handles authorization for invoice downloads and contained the insecure logic before patching. The function's role in processing PDF requests and the explicit security fix in this method confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Sin** Pr*st*S*op *.*.*, *ny invoi** **n ** *ownlo**** *rom *ront-o**i** in *nonymous mo**, *y supplyin* * r*n*om s**ur*_k*y p*r*m*t*r in t** url. ### P*t***s P*t**** in *.*.* ### Work*roun*s Up*r*** to *.*.* T**nk you to S*mu*l *o**vin,

Reasoning

T** vuln*r**ility st*mm** *rom improp*r ****ss *ontrol in t** invoi** *ownlo** *n*point. T** k*y *vi**n** is in t** *ommit *i** s*owin* t** s**urity ****k w*s r*stru*tur** *rom * sin*l* *l*w** *on*ition*l (t**t *oul* ** *yp*ss** wit* *ny s**ur*_k*y)