Cyber Resilience

CVE-2023-30198

HighPublic PoC

Published: 12 June 2023

Published
12 June 2023
Modified
06 January 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0568 90.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-30198 is a high-severity Path Traversal (CWE-22) vulnerability in Webbax Winbizpayment. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

PrestaShop's winbizpayment module versions 1.0.2 and earlier contain an incorrect access control vulnerability in modules/winbizpayment/downloads/download.php. The flaw is tracked as CVE-2023-30198 with a CVSS 3.1 score of 7.5 and is associated with CWE-22 path traversal. It permits unauthenticated network access to restricted resources without requiring user interaction.

An attacker can send crafted requests directly to the affected download.php endpoint to read arbitrary files on the server, resulting in disclosure of sensitive configuration data, credentials, or other confidential information stored on the PrestaShop installation.

Public advisories and proof-of-concept material are available from Friends-of-Presta and Packet Storm Security, highlighting the module's improper access controls; the referenced PrestaShop core Tools.php code provides context on related file-handling routines but does not itself contain a fix for this third-party module. The EPSS score has remained flat at 0.0568 with no observed increase after disclosure.

EU & UK References

Vulnerability details

Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

webbax
winbizpayment
≤ 1.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References