Search for packages
| purl | pkg:composer/prestashop/prestashop@8.1.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1trs-ajxn-jkhk
Aliases: CVE-2025-51586 GHSA-8xx5-h6m3-jr33 |
Presta Shop vulnerable to email enumeration ### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/ |
Affected by 1 other vulnerability. |
|
VCID-5s8z-4eqn-p7h7
Aliases: CVE-2024-26129 GHSA-3366-9287-7qpr |
### Impact Path disclosure in JavaScript variable ### Patches Patch in PrestaShop 8.1.4 ### References https://owasp.org/www-community/attacks/Full_Path_Disclosure Thanks to https://github.com/hugo-fasone |
Affected by 3 other vulnerabilities. |
|
VCID-cf1h-m5xj-mfc5
Aliases: CVE-2026-25597 GHSA-67v7-3g49-mxh2 |
PrestaShop affected by time based enumeration in FO login form ### Impact A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. ### Patches 8.2.4 and 9.0.3 ### Workarounds none ### References Found by Lam Yiu Tung |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-f4m9-pgg8-nqa3
Aliases: CVE-2024-21628 GHSA-vr7m-r9vm-m4wf |
PrestaShop XSS can be stored in DB from "add a message form" in order detail page (FO) ### Impact The isCleanHtml method is not used on this this form, which makes it possible to store an xss in DB. The impact is low because the html is not interpreted in BO, thanks to twig's escape mechanism. In FO, the xss is effective, but only impacts the customer sending it, or the customer session from which it was sent. Be careful if you have a module fetching these messages from the DB and displaying it without escaping html. ### Patches 8.1.x ### Reporter Reported by Rona Febriana (linkedin: https://www.linkedin.com/in/rona-febriana/) |
Affected by 4 other vulnerabilities. |
|
VCID-fkcb-5u24-wqbg
Aliases: CVE-2024-21627 GHSA-xgpm-q3mq-46rq |
PrestaShop some attribute not escaped in Validate::isCleanHTML method ### Description Some event attributes are not detected by the isCleanHTML method ### Impact Some modules using the isCleanHTML method could be vulnerable to xss ### Patches 8.1.3, 1.7.8.11 ### Workarounds The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`. ### Reporters Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub). |
Affected by 4 other vulnerabilities. |
|
VCID-ws23-cmum-kyh6
Aliases: CVE-2024-34716 GHSA-45vm-3j38-7p78 |
PrestaShop cross-site scripting via customer contact form in FO, through file upload ### Impact Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0. The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. ### Patches This vulnerability is patched in 8.1.6. ### Workarounds As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag. Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-ey36-u4qn-gbge | Improper Privilege Management PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` does not check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue. |
CVE-2023-43664
GHSA-gvrg-62jp-rf7j |
| VCID-keyj-v83x-nkck | Improper Privilege Management PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue. |
CVE-2023-43663
GHSA-6jmf-2pfc-q9m7 |