CVE-2025-51586

MEDIUM4.2EPSS 1.0%

Presta Shop vulnerable to email enumeration

發布日:2025/9/4修改日:2025/9/15

也稱為:GHSA-8xx5-h6m3-jr33BIT-prestashop-2025-51586

描述

### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

受影響套件(2)

Bitnami/prestashopfrom 0, < 8.2.1
Packagist/prestashop/prestashopfrom 0, < 8.2.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

參考連結(10)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-51586
PATCHhttps://github.com/PrestaShop/PrestaShop
WEBhttps://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release
WEBhttps://github.com/PrestaShop/PrestaShop/commit/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb
WEBhttps://github.com/PrestaShop/PrestaShop/releases/tag/8.2.1
WEBhttps://github.com/PrestaShop/PrestaShop/releases/tag/8.2.3
WEBhttps://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8xx5-h6m3-jr33
WEBhttps://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md
WEBhttps://prestashop.com
WEBhttps://prestashop.com/