CVE-2023-30198
Published: 12 June 2023
Summary
CVE-2023-30198 is a high-severity Path Traversal (CWE-22) vulnerability in Webbax Winbizpayment. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
PrestaShop's winbizpayment module versions 1.0.2 and earlier contain an incorrect access control vulnerability in modules/winbizpayment/downloads/download.php. The flaw is tracked as CVE-2023-30198 with a CVSS 3.1 score of 7.5 and is associated with CWE-22 path traversal. It permits unauthenticated network access to restricted resources without requiring user interaction.
An attacker can send crafted requests directly to the affected download.php endpoint to read arbitrary files on the server, resulting in disclosure of sensitive configuration data, credentials, or other confidential information stored on the PrestaShop installation.
Public advisories and proof-of-concept material are available from Friends-of-Presta and Packet Storm Security, highlighting the module's improper access controls; the referenced PrestaShop core Tools.php code provides context on related file-handling routines but does not itself contain a fix for this third-party module. The EPSS score has remained flat at 0.0568 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34623
Vulnerability details
Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.