CVE-2024-36682 affects the 'Theme settings' module (pk_themesettings) for PrestaShop, specifically versions up to 1.8.8, developed by Promokit.eu. The vulnerability arises from improper access control mechanisms that fail to restrict guest users from downloading a text file containing all email addresses collected by the shop during maintenance mode. When PrestaShop is set to maintenance mode, the module stores collected emails in a text file intended for administrative use. However, due to the lack of permissions enforcement, any unauthenticated visitor can directly access and download this file, resulting in unauthorized disclosure of personal data. This vulnerability is categorized under CWE-359, which involves exposure of private information through directory listing or insufficient access control. The CVSS v3.1 base score is 7.5, reflecting a network attack vector with low complexity, no privileges required, and no user interaction needed. The impact is high on confidentiality as it exposes potentially sensitive customer email addresses, but it does not affect data integrity or system availability. Although no public exploits have been reported yet, the vulnerability poses a significant privacy risk and could facilitate phishing or spam campaigns. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate protective measures.

The primary impact of CVE-2024-36682 is the unauthorized disclosure of customer email addresses collected by PrestaShop stores using the vulnerable module. This breach of confidentiality can lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage for affected organizations. Attackers gaining access to these emails can launch targeted phishing attacks, spam campaigns, or social engineering exploits against customers, increasing the risk of further compromise. Since the vulnerability does not affect data integrity or availability, the direct operational impact on the e-commerce platform is limited. However, the exposure of personal information can undermine customer trust and result in legal liabilities. Organizations worldwide using this module in their PrestaShop installations, especially those with large customer bases or operating in regulated markets, face significant risks. The ease of exploitation—requiring no authentication or user interaction—makes this vulnerability particularly dangerous and likely to be targeted once exploits become available.

1. Immediately restrict access to the email collection text file by configuring web server permissions to deny guest or anonymous access, especially during maintenance mode. 2. Disable maintenance mode when not actively performing updates or maintenance to minimize exposure. 3. Monitor web server logs for unauthorized access attempts to the email file and related resources. 4. Contact Promokit.eu or module maintainers to inquire about an official patch or update addressing this vulnerability and apply it promptly once available. 5. If no patch is available, consider temporarily removing or disabling the 'Theme settings' module until a fix is released. 6. Implement web application firewall (WAF) rules to block requests attempting to access the email collection file or related paths. 7. Review and audit all third-party modules for similar access control weaknesses to prevent analogous data leaks. 8. Inform affected customers about the potential exposure and advise them on phishing awareness and security best practices. 9. Regularly update PrestaShop and its modules to the latest versions to benefit from security fixes.