Main Vulnerability Database Vulnerabilities #VU129569

Improper access control in PrestaShop - CVE-2023-43664

Published: September 28, 2023 / Updated: May 4, 2026

Vulnerability identifier: #VU129569

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-43664

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PrestaShop

Software vendor:
PrestaShop SA

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the ajaxProcessGetPossibleHookingListForModule method when handling back office requests to list installed modules. A remote user can send a request to enumerate installed modules to disclose sensitive information.

The issue affects employees in the back office who do not have access rights for this action.

Remediation

Install security update from vendor's website.

External links

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j

Improper access control in PrestaShop - CVE-2023-43664

Description

Remediation

External links

Please verify you're human