CVE-2025-51586
Description
An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated attacker can enumerate employee emails via the back office password reset page in PrestaShop before 8.2.3.
Root
Cause
The vulnerability resides in the AdminLoginController.php file in the back office of PrestaShop. An unauthenticated attacker can craft id_employee and reset_token parameters in requests to the password reset page. The server response differs depending on whether the employee email exists, enabling an attacker to enumerate valid employee accounts. [1][2]
Attack
Vector
Exploitation requires knowledge of the back office URL, but no authentication. By sending requests with guessed or enumerated employee IDs and reset tokens, an attacker can observe the response and confirm valid accounts. This is a classic email enumeration vulnerability. [2]
Impact
Successful enumeration reveals which employee accounts exist. This information can be used to target specific employees with phishing attacks or other social engineering tactics. The vulnerability does not directly lead to account takeover, but it lowers the barrier for targeted attacks. [2]
Mitigation
PrestaShop 8.2.3 fully fixes this issue. Users on unsupported branches (e.g., 8.2.x) should update immediately. PrestaShop 9 is not affected. For users unable to update, restricting network access to the back office URL or customizing the back office path can reduce risk, but these are not complete fixes. [2]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/prestashopPackagist | < 8.2.3 | 8.2.3 |
Affected products
2- PrestaShop/PrestaShopdescription
- Range: <8.2.1
Patches
11 file changed · +7 −4
controllers/admin/AdminLoginController.php+7 −4 modified@@ -158,13 +158,16 @@ public function initContent() } // For reset password feature - if ($reset_token = Tools::getValue('reset_token')) { + $reset_token = Tools::getValue('reset_token'); + $id_employee = Tools::getValue('id_employee'); + if ($reset_token !== false && $id_employee !== false) { $this->context->smarty->assign('reset_token', $reset_token); - } - if ($id_employee = Tools::getValue('id_employee')) { $this->context->smarty->assign('id_employee', $id_employee); + $employee = new Employee($id_employee); - if (Validate::isLoadedObject($employee)) { + $valid_reset_token = $employee->getValidResetPasswordToken(); + + if ($valid_reset_token !== false && $valid_reset_token === $reset_token) { $this->context->smarty->assign('reset_email', $employee->email); } }
Vulnerability mechanics
Root cause
"Missing validation of the reset token before assigning the employee email to the template allows an attacker to enumerate valid employee email addresses."
Attack vector
An attacker sends a request to the admin login page with an `id_employee` parameter but without a valid `reset_token`. In the vulnerable code, the presence of `id_employee` alone triggers the creation of an `Employee` object and, if the employee exists, the email is assigned to the template and returned in the response. By iterating over numeric `id_employee` values, an attacker can determine which employee IDs exist based on whether an email address appears in the response. The fix requires both `reset_token` and `id_employee` to be present and that the token matches the employee's stored valid reset token before revealing the email [patch_id=440602].
Affected code
The vulnerable code is in `controllers/admin/AdminLoginController.php` within the `initContent()` method. The original logic assigned the employee email to the Smarty template whenever an `id_employee` parameter was provided, without verifying that a valid `reset_token` was also supplied [patch_id=440602].
What the fix does
The patch makes two key changes. First, it moves the `$id_employee` assignment inside the same conditional block as `$reset_token`, so the email is only assigned when both parameters are supplied. Second, it retrieves the employee's valid reset token via `getValidResetPasswordToken()` and compares it against the user-supplied `reset_token` using a strict equality check. This ensures the email is only revealed when the attacker possesses a valid, matching reset token, closing the enumeration vector [patch_id=440602].
Preconditions
- networkAttacker must be able to send HTTP requests to the PrestaShop admin login page.
- inputAttacker supplies an `id_employee` numeric parameter without a valid `reset_token`.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-8xx5-h6m3-jr33ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-51586ghsaADVISORY
- build.prestashop-project.org/news/2025/prestashop-8-2-3-security-releaseghsaWEB
- github.com/PrestaShop/PrestaShop/commit/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fbghsaWEB
- github.com/PrestaShop/PrestaShop/releases/tag/8.2.1ghsaWEB
- github.com/PrestaShop/PrestaShop/releases/tag/8.2.3ghsaWEB
- github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8xx5-h6m3-jr33ghsaWEB
- maxime-morel.github.io/advisories/2025/CVE-2025-51586.mdghsaWEB
- prestashop.comghsaWEB
- prestashop.commitre
News mentions
0No linked articles in our index yet.