CVE-2024-36677 is a vulnerability identified in the "Login as customer PRO" module for PrestaShop, versions prior to 1.2.7, developed by Weblir. This module is designed to allow administrators to log in as customers for support or troubleshooting purposes. However, the vulnerability allows unauthenticated users (guests) to access direct URLs that connect to any customer account on the shop if either the module is not installed or if a secret token accessible only to administrators is leaked or stolen. The core issue is an improper access control mechanism, categorized under CWE-359, which involves exposure of sensitive information through an information leak. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely over the network. The CVSS v3.1 base score is 7.5, indicating a high severity due to the potential for complete confidentiality compromise of customer accounts without affecting integrity or availability. Although no public exploits are known at this time, the risk is significant given the sensitive nature of customer data and the ease of exploitation. The vulnerability affects PrestaShop installations using this module, which is popular among e-commerce sites worldwide. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate risk mitigation.

The primary impact of CVE-2024-36677 is the unauthorized disclosure of customer account information, which can lead to privacy violations, identity theft, and fraud. Attackers gaining access to customer accounts can view personal data, order history, payment details, and potentially manipulate customer profiles if further vulnerabilities exist. This undermines customer trust and can result in regulatory penalties under data protection laws such as GDPR. For organizations, the breach can cause reputational damage, financial loss, and increased operational costs due to incident response and remediation. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks, increasing the risk of widespread compromise. The vulnerability does not affect system integrity or availability directly but compromises confidentiality severely. E-commerce businesses relying on PrestaShop and this module are particularly vulnerable, especially those with large customer bases or handling sensitive payment information.

Organizations should immediately audit their PrestaShop installations to determine if the "Login as customer PRO" module is installed and its version. If the module is present and below version 1.2.7, they should upgrade to the latest secure version as soon as it becomes available. Until a patch is released, consider disabling or uninstalling the module to eliminate the attack surface. Protect administrator secrets rigorously by enforcing strong access controls, rotating secrets regularly, and monitoring for unauthorized access or leaks. Implement network-level protections such as web application firewalls (WAFs) to detect and block suspicious requests targeting the vulnerable endpoints. Conduct thorough logging and monitoring to identify potential exploitation attempts. Educate administrators about the risks of secret exposure and enforce multi-factor authentication (MFA) for administrative accounts to reduce the likelihood of credential compromise. Finally, review customer account security policies and consider additional verification steps for sensitive actions to mitigate the impact of unauthorized access.