CVE-2024-25840 is a path traversal vulnerability identified in the 'Account Manager | Sales Representative & Dealers | CRM' module (prestasalesmanager) developed by Presta World for the PrestaShop e-commerce platform, affecting versions up to 9.0. The vulnerability allows an unauthenticated attacker to download personal information by manipulating file path parameters without any access restrictions. This occurs due to insufficient validation or sanitization of user-supplied input that controls file paths, classified under CWE-31 (Path Traversal). The attacker can craft a request that traverses directories on the server, accessing sensitive files containing personal data of customers or sales representatives. The CVSS v3.1 base score is 7.5, indicating high severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack can be launched remotely over the network with low attack complexity, no privileges or user interaction required, and results in high confidentiality impact without affecting integrity or availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability presents a critical risk to data privacy and regulatory compliance. This flaw could be exploited by attackers to harvest sensitive personal data, potentially leading to identity theft, fraud, or reputational damage for affected organizations.

The primary impact of CVE-2024-25840 is the unauthorized disclosure of personal information due to the path traversal vulnerability. Organizations using the affected PrestaShop module risk exposure of sensitive customer and sales representative data, which can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and potential legal liabilities. The breach of confidentiality can also facilitate further attacks such as phishing, social engineering, or identity theft. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, increasing the likelihood of exploitation. Although integrity and availability are not directly impacted, the loss of trust and potential financial penalties can have significant operational and reputational consequences. E-commerce businesses relying on PrestaShop modules are particularly vulnerable, especially those with large customer bases or handling sensitive personal data.

1. Monitor Presta World and PrestaShop official channels for patches or updates addressing CVE-2024-25840 and apply them promptly once available. 2. Implement strict input validation and sanitization on all parameters controlling file paths to prevent directory traversal sequences (e.g., '..\' or '../'). 3. Restrict file system permissions for the web server process to limit access only to necessary directories and files, minimizing exposure if traversal attempts succeed. 4. Employ web application firewalls (WAFs) with rules to detect and block path traversal attack patterns targeting the affected module. 5. Conduct thorough security audits and code reviews of custom or third-party PrestaShop modules to identify and remediate similar vulnerabilities. 6. Monitor logs for suspicious access patterns indicative of path traversal attempts and respond accordingly. 7. Educate development and security teams about secure coding practices related to file handling and input validation to prevent recurrence.