Package Instance

Presta Shop vulnerable to email enumeration
### Impact
An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses.

Impacted parties:
Store administrators and employees: their email addresses are exposed.
Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.

### Patches
PrestaShop 8.2.3

### Workarounds
You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

PrestaShop affected by time based enumeration in FO login form
### Impact
A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times.

### Patches
8.2.4 and 9.0.3

### Workarounds
none

### References
Found by Lam Yiu Tung

Anonymous PrestaShop customer can download other customers' invoices
### Impact
Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.

### Patches
Patched in 8.1.6

### Workarounds
Upgrade to 8.1.6

Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.

PrestaShop cross-site scripting via customer contact form in FO, through file upload
### Impact
Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0.

The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office.

Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right.

### Patches
This vulnerability is patched in 8.1.6.

### Workarounds
As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag.

Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team.