MEDIUM 5.3
GHSA-7pjr-2rgh-fc5g
Anonymous PrestaShop customer can download other customers' invoices
Details
### Impact Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.
### Patches Patched in 8.1.6
### Workarounds Upgrade to 8.1.6
Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / prestashop/prestashop
Introduced in:
8.1.5 Fixed in: 8.1.6 Fix
composer require prestashop/prestashop:^8.1.6 References
- https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-34717 [ADVISORY]
- https://github.com/PrestaShop/PrestaShop/commit/46b9a2b430dd2008ac061fbcbae9f7af55a7920a [WEB]
- https://github.com/PrestaShop/PrestaShop [PACKAGE]
- https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6 [WEB]