Can you explain this vulnerability to me?

CVE-2026-39079 is an information disclosure vulnerability in the UPS Shipping Module (upsshipping) for PrestaShop, affecting all versions up to 2.4.0. It allows unauthenticated remote attackers to access sensitive information by exploiting publicly accessible log files located in the module's logs/ directory and the lib/UPSBaseApi.php component.

The vulnerability arises because the logs/ directory lacks proper access controls (no .htaccess or index.php protection), filenames are predictable based on Unix timestamps, and logging occurs unconditionally even when debug mode is off. This makes it easy for attackers to enumerate and retrieve historical log files through predictable URLs.

Additionally, the module disables TLS certificate validation in lib/UPSLocatorApi.php, which exposes API traffic to man-in-the-middle attacks.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized disclosure of sensitive data such as UPS API credentials, shipper account numbers, customer personally identifiable information (PII), and merchant tax identification numbers.

Exploitation can lead to fraudulent shipments charged to the merchant’s UPS account and potential large-scale data breaches affecting customers.

Because the logs contain extensive data spanning years, attackers can access a vast amount of historical sensitive information.

The vulnerability has a high severity score (CVSS 8.6), indicating significant risk to confidentiality.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability poses a risk of breaching data protection regulations such as GDPR because it exposes customer personally identifiable information (PII) and other sensitive merchant data.

Organizations affected by this vulnerability may be required to issue breach notifications under GDPR due to unauthorized access to personal data.

While HIPAA is not explicitly mentioned, exposure of sensitive personal information could also raise compliance concerns under similar privacy and security regulations.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking for the presence of the upsshipping module in PrestaShop and verifying if the /modules/upsshipping/logs/ directory is publicly accessible without access controls.

You can attempt to enumerate log files by accessing predictable URLs based on Unix timestamps in the logs/ directory to see if sensitive information is exposed.

Additionally, monitoring network traffic for unencrypted API calls to UPS services may reveal disabled TLS certificate validation.

• Use curl or wget to try accessing log files, for example: curl http://your-prestashop-site/modules/upsshipping/logs/$(date +%s).log
• Check web server access logs for requests to /modules/upsshipping/logs/ to identify attempts to access these files.
• Scan the filesystem for the presence of the upsshipping module and its log files.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary immediate mitigation is to fully uninstall and remove the upsshipping module from the PrestaShop filesystem.

Purge all existing log files in the /modules/upsshipping/logs/ directory to prevent further exposure of sensitive data.

Rotate UPS API credentials to invalidate any potentially compromised keys.

Temporarily block web access to the logs/ directory at the server level, for example by using .htaccess rules or web server configuration to deny access.

Monitor for unauthorized activity related to the module and the exposed data.

Useful 0 Not Useful 0