VulnerableCode Package Details - pkg:composer/prestashop/prestashop@8.1.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-1trs-ajxn-jkhk Aliases: CVE-2025-51586 GHSA-8xx5-h6m3-jr33	Presta Shop vulnerable to email enumeration ### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/	8.2.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-cf1h-m5xj-mfc5 Aliases: CVE-2026-25597 GHSA-67v7-3g49-mxh2	PrestaShop affected by time based enumeration in FO login form ### Impact A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. ### Patches 8.2.4 and 9.0.3 ### Workarounds none ### References Found by Lam Yiu Tung	8.2.4 Affected by 0 other vulnerabilities. 9.0.3 Affected by 0 other vulnerabilities. 9.1.0-beta.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1trs-ajxn-jkhk
Aliases:
CVE-2025-51586
GHSA-8xx5-h6m3-jr33

Presta Shop vulnerable to email enumeration ### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

8.2.3
Affected by 1 other vulnerability.

VCID-cf1h-m5xj-mfc5
Aliases:
CVE-2026-25597
GHSA-67v7-3g49-mxh2

PrestaShop affected by time based enumeration in FO login form ### Impact A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. ### Patches 8.2.4 and 9.0.3 ### Workarounds none ### References Found by Lam Yiu Tung

8.2.4
Affected by 0 other vulnerabilities.

9.0.3
Affected by 0 other vulnerabilities.

9.1.0-beta.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-wruz-92je-97ej	Anonymous PrestaShop customer can download other customers' invoices ### Impact Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. ### Patches Patched in 8.1.6 ### Workarounds Upgrade to 8.1.6 Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.	CVE-2024-34717 GHSA-7pjr-2rgh-fc5g
VCID-ws23-cmum-kyh6	PrestaShop cross-site scripting via customer contact form in FO, through file upload ### Impact Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0. The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. ### Patches This vulnerability is patched in 8.1.6. ### Workarounds As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag. Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team.	CVE-2024-34716 GHSA-45vm-3j38-7p78

Vulnerability

Summary

Aliases

VCID-wruz-92je-97ej

Anonymous PrestaShop customer can download other customers' invoices ### Impact Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. ### Patches Patched in 8.1.6 ### Workarounds Upgrade to 8.1.6 Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.

CVE-2024-34717
GHSA-7pjr-2rgh-fc5g

VCID-ws23-cmum-kyh6

PrestaShop cross-site scripting via customer contact form in FO, through file upload ### Impact Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0. The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. ### Patches This vulnerability is patched in 8.1.6. ### Workarounds As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag. Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team.

CVE-2024-34716
GHSA-45vm-3j38-7p78

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:15:26.246429+00:00	GitLab Importer	Affected by	VCID-cf1h-m5xj-mfc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/GHSA-67v7-3g49-mxh2.yml	38.4.0
2026-04-17T00:14:52.175769+00:00	GitLab Importer	Affected by	VCID-cf1h-m5xj-mfc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2026-25597.yml	38.4.0
2026-04-16T23:40:07.074997+00:00	GitLab Importer	Affected by	VCID-1trs-ajxn-jkhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2025-51586.yml	38.4.0
2026-04-16T22:58:08.885847+00:00	GitLab Importer	Fixing	VCID-ws23-cmum-kyh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34716.yml	38.4.0
2026-04-16T22:57:53.092602+00:00	GitLab Importer	Fixing	VCID-wruz-92je-97ej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34717.yml	38.4.0
2026-04-12T01:39:29.199633+00:00	GitLab Importer	Affected by	VCID-cf1h-m5xj-mfc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/GHSA-67v7-3g49-mxh2.yml	38.3.0
2026-04-12T01:38:52.321234+00:00	GitLab Importer	Affected by	VCID-cf1h-m5xj-mfc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2026-25597.yml	38.3.0
2026-04-12T01:00:53.295321+00:00	GitLab Importer	Affected by	VCID-1trs-ajxn-jkhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2025-51586.yml	38.3.0
2026-04-12T00:16:14.551680+00:00	GitLab Importer	Fixing	VCID-ws23-cmum-kyh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34716.yml	38.3.0
2026-04-12T00:15:57.904705+00:00	GitLab Importer	Fixing	VCID-wruz-92je-97ej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34717.yml	38.3.0
2026-04-03T01:48:24.467479+00:00	GitLab Importer	Affected by	VCID-cf1h-m5xj-mfc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/GHSA-67v7-3g49-mxh2.yml	38.1.0
2026-04-03T01:47:49.393728+00:00	GitLab Importer	Affected by	VCID-cf1h-m5xj-mfc5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2026-25597.yml	38.1.0
2026-04-03T01:09:06.046452+00:00	GitLab Importer	Affected by	VCID-1trs-ajxn-jkhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2025-51586.yml	38.1.0
2026-04-03T00:23:15.770058+00:00	GitLab Importer	Fixing	VCID-ws23-cmum-kyh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34716.yml	38.1.0
2026-04-03T00:22:59.678066+00:00	GitLab Importer	Fixing	VCID-wruz-92je-97ej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34717.yml	38.1.0
2026-04-02T12:39:10.919287+00:00	GitLab Importer	Fixing	VCID-ws23-cmum-kyh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34716.yml	38.0.0
2026-04-02T12:39:09.007420+00:00	GitLab Importer	Fixing	VCID-wruz-92je-97ej	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/prestashop/prestashop/CVE-2024-34717.yml	38.0.0
2026-04-01T16:05:17.185816+00:00	GHSA Importer	Fixing	VCID-wruz-92je-97ej	https://github.com/advisories/GHSA-7pjr-2rgh-fc5g	38.0.0
2026-04-01T16:05:17.155674+00:00	GHSA Importer	Fixing	VCID-ws23-cmum-kyh6	https://github.com/advisories/GHSA-45vm-3j38-7p78	38.0.0
2026-04-01T12:52:02.753226+00:00	GithubOSV Importer	Fixing	VCID-wruz-92je-97ej	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7pjr-2rgh-fc5g/GHSA-7pjr-2rgh-fc5g.json	38.0.0
2026-04-01T12:51:51.338178+00:00	GithubOSV Importer	Fixing	VCID-ws23-cmum-kyh6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-45vm-3j38-7p78/GHSA-45vm-3j38-7p78.json	38.0.0