Moderate severityNVD Advisory· Published May 14, 2024· Updated Aug 2, 2024
Anonymous PrestaShop customer can download other customers' invoices
CVE-2024-34717
Description
PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/prestashopPackagist | >= 8.1.5, < 8.1.6 | 8.1.6 |
Affected products
1- Range: = 8.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7pjr-2rgh-fc5gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34717ghsaADVISORY
- github.com/PrestaShop/PrestaShop/commit/46b9a2b430dd2008ac061fbcbae9f7af55a7920aghsaWEB
- github.com/PrestaShop/PrestaShop/releases/tag/8.1.6ghsax_refsource_MISCWEB
- github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.