Search for packages
| purl | pkg:composer/prestashop/prestashop@8.1.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1trs-ajxn-jkhk
Aliases: CVE-2025-51586 GHSA-8xx5-h6m3-jr33 |
Presta Shop vulnerable to email enumeration ### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/ |
Affected by 1 other vulnerability. |
|
VCID-cf1h-m5xj-mfc5
Aliases: CVE-2026-25597 GHSA-67v7-3g49-mxh2 |
PrestaShop affected by time based enumeration in FO login form ### Impact A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. ### Patches 8.2.4 and 9.0.3 ### Workarounds none ### References Found by Lam Yiu Tung |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wruz-92je-97ej
Aliases: CVE-2024-34717 GHSA-7pjr-2rgh-fc5g |
Anonymous PrestaShop customer can download other customers' invoices ### Impact Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. ### Patches Patched in 8.1.6 ### Workarounds Upgrade to 8.1.6 Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team. |
Affected by 2 other vulnerabilities. |
|
VCID-ws23-cmum-kyh6
Aliases: CVE-2024-34716 GHSA-45vm-3j38-7p78 |
PrestaShop cross-site scripting via customer contact form in FO, through file upload ### Impact Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0. The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. ### Patches This vulnerability is patched in 8.1.6. ### Workarounds As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag. Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||