An issue in the Prestashop UPS Shipping module enables a remote attacker to read sensitive information from the "/modules/upsshipping/logs/" and "/modules/upsshipping/lib/UPSBaseApi.php" components. The affected components store shipping details and possibly customer data. An attacker who can fetch the logs or API source code can acquire confidential data such as order contents, shipping addresses, and UPS credentials. The vulnerability is a form of information exposure; it does not permit arbitrary code execution but can lead to privacy violations, financial loss, and regulatory non‑compliance.

Affected systems The vulnerability affects Prestashop e‑commerce installations that include the UPS Shipping module, at least up to version 2.4.0. Any deployment of Prestashop with this module, regardless of custom modifications, is at risk if the application server exposes the modules directory to the public.

Risk and exploitability The CVSS score is 7.5, the EPSS score is not available, and the vulnerability is not listed as a Known Exploited Vulnerability. Nevertheless, the attack vector is remote and likely unauthenticated, requiring only a web request to the exposed URLs. Because the module logs are typically accessible to anyone who can reach the web server, the exploitation likelihood is high for exposed installations. The lack of patch or workaround information suggests that the only mitigation is to apply vendor fixes as soon as they become available; until then, exposure remains.