Описание
Anonymous PrestaShop customer can download other customers' invoices
Impact
Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.
Patches
Patched in 8.1.6
Workarounds
Upgrade to 8.1.6
Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.
Пакеты
Наименование
prestashop/prestashop
composer
Затронутые версииВерсия исправления
= 8.1.5
8.1.6
Связанные уязвимости
CVSS3: 5.3
nvd
больше 1 года назад
PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.