CVE-2024-24309 identifies a critical vulnerability in the 'Survey TMA' module (ecomiz_survey_tma) for PrestaShop, a widely used e-commerce platform. The vulnerability exists in versions up to 2.0.0 and allows unauthenticated attackers (guests) to download personal information without any access restrictions. This indicates a failure in access control mechanisms, specifically an exposure of sensitive information (CWE-200). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates that the attack is network-based, requires no privileges or user interaction, and impacts availability severely, though confidentiality and integrity are not directly impacted per the vector. However, the description states personal information can be downloaded, which implies confidentiality impact; this discrepancy suggests the CVSS vector may emphasize availability impact due to denial or disruption of service. The vulnerability could allow attackers to disrupt the module’s functionality or exfiltrate personal data, potentially leading to privacy violations and regulatory non-compliance. No patches or exploits are currently reported, but the risk remains high due to the ease of exploitation and the sensitive nature of the data involved. The module is a third-party extension for PrestaShop, so the vulnerability affects any e-commerce site using this module, especially those handling customer surveys or personal data collection.

The vulnerability allows unauthenticated attackers to access and download personal information without restriction, leading to potential data breaches and privacy violations. This can result in regulatory penalties under data protection laws such as GDPR or CCPA. The availability impact indicated by the CVSS vector suggests attackers could disrupt the module’s operation, affecting the functionality of surveys or data collection on e-commerce sites, potentially degrading customer experience and trust. Organizations relying on this module may face reputational damage and operational disruption. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated tools, increasing the risk of widespread attacks. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits given the public disclosure. The impact is especially critical for businesses that collect sensitive personal data through surveys, as unauthorized data access can lead to identity theft, fraud, or targeted phishing campaigns.

Immediate mitigation should include disabling or removing the vulnerable Survey TMA module if patching is not yet available. Organizations should monitor for updates from Ecomiz and PrestaShop and apply patches promptly once released. Implementing web application firewalls (WAFs) with custom rules to block unauthorized access to the module’s endpoints can reduce exposure. Conduct thorough access control reviews to ensure that sensitive data endpoints require proper authentication and authorization. Logging and monitoring access to survey data should be enhanced to detect suspicious activity. If possible, restrict network access to the module’s interfaces to trusted IP ranges or internal networks. Regularly audit third-party modules for vulnerabilities and maintain an inventory to quickly respond to disclosed issues. Educate development and security teams about the risks of using unverified third-party modules and encourage secure coding and configuration practices.