CVE-2023-45892 is a high-severity vulnerability identified in the Order and Invoice pages of the Floorsight Insights Q3 2023 platform. This vulnerability allows an unauthenticated remote attacker to access sensitive customer information without requiring any form of authentication or user interaction. The vulnerability is categorized under CWE-639, which relates to Authorization Bypass Through User-Controlled Key. Essentially, this means that the application fails to properly enforce access controls on sensitive data endpoints, allowing attackers to bypass authorization checks and retrieve confidential customer data. The CVSS v3.1 base score of 7.5 reflects the ease of exploitation (network vector, low attack complexity, no privileges required, no user interaction) combined with a high impact on confidentiality, while integrity and availability remain unaffected. Although no specific vendor or product version details are provided, the vulnerability affects the Floorsight Insights platform's order and invoice management components. No patches or known exploits in the wild have been reported yet, but the exposure of sensitive customer information poses significant privacy and compliance risks. The lack of authentication requirement and the remote exploitability make this a critical concern for organizations using this platform, as attackers could harvest customer data remotely without detection.

For European organizations using Floorsight Insights, this vulnerability could lead to unauthorized disclosure of sensitive customer information, potentially including personal identifiable information (PII), financial details, or order histories. Such data breaches could violate the EU General Data Protection Regulation (GDPR), leading to substantial fines and reputational damage. The exposure of customer data can also facilitate further attacks such as identity theft, fraud, or targeted phishing campaigns. Since the vulnerability does not affect data integrity or availability, the primary impact is confidentiality loss. However, the breach of trust and regulatory non-compliance consequences can be severe. Organizations relying on Floorsight Insights for order and invoice processing may face operational disruptions if they need to take the system offline to investigate or remediate the issue. Additionally, the lack of authentication requirement means that any external attacker with network access to the affected system can exploit this vulnerability, increasing the risk surface significantly.

Given the absence of available patches, European organizations should immediately implement compensating controls to mitigate the risk. These include restricting network access to the Floorsight Insights platform, especially the order and invoice pages, by using firewalls, VPNs, or IP whitelisting to limit exposure to trusted users only. Implementing Web Application Firewalls (WAFs) with rules to detect and block unauthorized access attempts to sensitive endpoints can help reduce exploitation risk. Organizations should conduct thorough access control reviews and ensure that sensitive data endpoints enforce strict authentication and authorization checks. Monitoring and logging access to these pages should be enhanced to detect anomalous or unauthorized access patterns promptly. If possible, temporarily disabling or restricting access to the vulnerable components until a vendor patch is released is advisable. Additionally, organizations should prepare incident response plans for potential data breaches and notify affected customers in compliance with GDPR requirements if a breach occurs. Regularly checking for vendor updates or advisories regarding this vulnerability is essential to apply official patches once available.