VDB
KO
MEDIUM 5.3

GHSA-7pjr-2rgh-fc5g

Anonymous PrestaShop customer can download other customers' invoices

Details

### Impact Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.

### Patches Patched in 8.1.6

### Workarounds Upgrade to 8.1.6

Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / prestashop/prestashop
Introduced in: 8.1.5 Fixed in: 8.1.6
Fix composer require prestashop/prestashop:^8.1.6

References