CVE-2024-25839 is a vulnerability identified in the Webbax "Super Newsletter" module for PrestaShop, specifically affecting versions 1.4.21 and earlier. This module, designed to manage newsletter subscriptions and communications, contains an access control flaw that allows unauthenticated remote attackers to escalate privileges and retrieve sensitive information. The vulnerability is categorized under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS v3.1 base score is 7.5, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). This means an attacker can exploit the vulnerability remotely without authentication or user interaction to gain access to confidential data, potentially including customer information or internal configuration details. The vulnerability does not affect the integrity or availability of the system but poses a significant confidentiality risk. No patches or fixes are currently linked, and no public exploits have been reported, indicating a window of exposure for affected users. The issue was reserved in February 2024 and published in March 2024, suggesting recent discovery. The affected module is part of the PrestaShop ecosystem, a widely used open-source e-commerce platform, particularly popular in Europe and parts of the Americas. The lack of authentication requirement and network accessibility make this vulnerability particularly concerning for online stores relying on this module for newsletter management.

The primary impact of CVE-2024-25839 is unauthorized disclosure of sensitive information, which can include customer data, email lists, or internal system details managed by the Super Newsletter module. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential follow-on attacks such as phishing or social engineering targeting exposed contacts. Since the vulnerability does not affect integrity or availability, direct system disruption or data manipulation is not expected. However, the confidentiality breach alone can have severe consequences for organizations, especially those handling large volumes of personal data. The ease of exploitation (no authentication or user interaction required) increases the risk of widespread attacks, particularly against e-commerce sites that have not updated or secured this module. Organizations worldwide using PrestaShop with this module are at risk, with potential financial and legal repercussions from data breaches.

1. Immediate mitigation should focus on restricting network access to the Super Newsletter module endpoints, using firewalls or web application firewalls (WAFs) to limit exposure to trusted IPs only. 2. Monitor web server and application logs for unusual access patterns or attempts to access newsletter-related resources. 3. Apply any available patches or updates from Webbax or PrestaShop as soon as they are released. 4. If patches are not yet available, consider disabling or uninstalling the Super Newsletter module temporarily to prevent exploitation. 5. Conduct a thorough audit of exposed data to assess potential leakage and notify affected parties as required by law. 6. Implement strict access controls and ensure modules are configured following the principle of least privilege. 7. Educate staff about the vulnerability and encourage vigilance for phishing attempts that may leverage leaked data. 8. Plan for regular vulnerability assessments and timely updates of all third-party modules to reduce future risks.