CVE-2024-34991 identifies a critical vulnerability in the Axepta payment module (axepta) for PrestaShop, a widely used e-commerce platform. Versions before 1.3.4 lack proper permissions control, enabling unauthenticated guest users to access and download partial sensitive customer information such as credit card expiry dates, postal addresses, and email addresses. This vulnerability arises from an improper access control weakness (CWE-200), where the module fails to restrict data access to authorized users only. The flaw can be exploited remotely without any authentication or user interaction, increasing the risk of automated or targeted data harvesting attacks. Although the vulnerability does not expose full credit card numbers or affect data integrity or availability, the leakage of partial payment and personal information can facilitate fraud, phishing, or identity theft. The CVSS v3.1 base score of 7.5 reflects a high severity level due to the ease of exploitation (network vector, low complexity, no privileges required) and the high confidentiality impact. No public exploits have been reported yet, but the vulnerability's presence in a payment module integrated into many PrestaShop stores worldwide makes it a significant concern. The lack of a patch link suggests that a fixed version (1.3.4 or later) is either recently released or pending, so users must monitor vendor communications closely. Organizations should audit their PrestaShop installations for the affected Axepta module version and apply updates promptly. Additionally, reviewing access control policies and monitoring for unusual data access patterns can help mitigate exploitation risks.

The primary impact of CVE-2024-34991 is the unauthorized disclosure of partial sensitive customer data, including credit card expiry dates, postal addresses, and email addresses. While the full credit card number is not exposed, the leaked information can still be leveraged by attackers to conduct targeted phishing campaigns, social engineering attacks, or to facilitate fraudulent transactions when combined with other data sources. The breach of confidentiality undermines customer trust and can lead to regulatory penalties under data protection laws such as GDPR or CCPA. Since the vulnerability does not affect data integrity or availability, it does not directly disrupt business operations but poses a significant privacy risk. Organizations operating e-commerce platforms with the vulnerable Axepta module may face reputational damage, increased fraud risk, and potential financial losses from remediation and legal actions. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and data harvesting by malicious actors. The global reach of PrestaShop means that many merchants worldwide could be affected, amplifying the potential scale of impact.

To mitigate CVE-2024-34991, organizations should take the following specific actions: 1) Immediately verify the version of the Axepta module installed in their PrestaShop environment and upgrade to version 1.3.4 or later as soon as it becomes available, as this version addresses the permissions control issue. 2) In the interim, restrict access to the module's data endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests attempting to access sensitive data paths. 3) Conduct a thorough audit of access control configurations within the PrestaShop installation to ensure that sensitive customer data is only accessible to authenticated and authorized users. 4) Monitor server logs and network traffic for unusual or repeated access attempts to payment module resources from guest users or unknown IP addresses. 5) Employ data minimization practices by limiting the amount of sensitive information stored or displayed in the module to reduce exposure risk. 6) Educate customer service and IT teams about the vulnerability to recognize potential exploitation indicators and respond promptly. 7) Prepare an incident response plan to address potential data leakage, including customer notification procedures in compliance with applicable data protection regulations. 8) Engage with the module vendor or community to stay informed about patches, advisories, and best practices related to Axepta and PrestaShop security.