Package Instance

Presta Shop vulnerable to email enumeration
### Impact
An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses.

Impacted parties:
Store administrators and employees: their email addresses are exposed.
Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.

### Patches
PrestaShop 8.2.3

### Workarounds
You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

### Impact
Path disclosure in JavaScript variable

### Patches
Patch in PrestaShop 8.1.4

### References
https://owasp.org/www-community/attacks/Full_Path_Disclosure

Thanks to https://github.com/hugo-fasone

PrestaShop affected by time based enumeration in FO login form
### Impact
A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times.

### Patches
8.2.4 and 9.0.3

### Workarounds
none

### References
Found by Lam Yiu Tung

PrestaShop cross-site scripting via customer contact form in FO, through file upload
### Impact
Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0.

The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office.

Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right.

### Patches
This vulnerability is patched in 8.1.6.

### Workarounds
As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag.

Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team.

PrestaShop XSS can be stored in DB from "add a message form" in order detail page (FO)
### Impact
The isCleanHtml method is not used on this this form, which makes it possible to store an xss in DB.
The impact is low because the html is not interpreted in BO, thanks to twig's escape mechanism.
In FO, the xss is effective, but only impacts the customer sending it, or the customer session from which it was sent.

Be careful if you have a module fetching these messages from the DB and displaying it without escaping html.

### Patches
8.1.x

### Reporter
Reported by Rona Febriana (linkedin: https://www.linkedin.com/in/rona-febriana/)

PrestaShop some attribute not escaped in Validate::isCleanHTML method
### Description
Some event attributes are not detected by the isCleanHTML method

### Impact
Some modules using the isCleanHTML method could be vulnerable to xss

### Patches
8.1.3, 1.7.8.11

### Workarounds
The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.

### Reporters

Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub).