[CVE-2025-51586] User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2
User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 allows remote attackers to obtain administrators user email addresses via manipulation of the id_employee and reset_token parameters. An attacker who has access to the Back Office login URL can trigger the password reset form to disclose the associated email address in a hidden field, even when the provided reset token is invalid. This issue has been fixed in 8.2.3.
Summary
- CVE ID: CVE-2025-51586
- Published at: 2025-09-04
- Platform: PrestaShop (Core)
- Impacted release: from 1.7 to 8.2.2 - fixed in 8.2.3
- Product author: PrestaShop
- Weakness: CWE-359 – Exposure of Private Information (‘Privacy Violation’)
- Severity: Moderate.
- CVSS v3.1 base score: 4.2 (as assessed in the PrestaShop advisory)
- Based on the criteria applied in this advisory: 3.7 (Low) (see vector string below)
Root cause (before fix): the template variables for the reset form were assigned without first verifying that the reset_token matched the employee’s currently valid reset token (including validity window).
CVSS base metrics
- Attack vector: Network (AV:N)
- Attack complexity: High (AC:H)
- Privileges required: None (PR:N)
- User interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality: Low (C:L)
- Integrity: None (I:N)
- Availability: None (A:N)
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - 3.7 (Low)
Proof of concept
When an invalid reset_token is supplied together with a valid id_employee, the application still renders the password reset form and includes the employee’s email address in a hidden field. By incrementing or iterating through id_employee values, an attacker can systematically enumerate all Back Office user emails.
For security reasons, the full proof of concept request/response sequence is not fully disclosed here. The vulnerability cannot be reliably mitigated by common WAF rules, as the flaw resides in the application logic itself.
Patch
Based on editor patch: https://github.com/PrestaShop/PrestaShop/pull/39479/commits/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb
Minimal logic hardening (as merged upstream)
Only render the reset form (and especially reset_email) if both parameters are present and the token is valid for the selected employee:
- // For reset password feature
- if ($reset_token = Tools::getValue('reset_token')) {
- $this->context->smarty->assign('reset_token', $reset_token);
- }
- if ($id_employee = Tools::getValue('id_employee')) {
- $this->context->smarty->assign('id_employee', $id_employee);
- $employee = new Employee($id_employee);
- if (Validate::isLoadedObject($employee)) {
- $this->context->smarty->assign('reset_email', $employee->email);
- }
- }
+ // For reset password feature (safe: only when token is valid)
+ $reset_token = Tools::getValue('reset_token');
+ $id_employee = Tools::getValue('id_employee');
+ if ($reset_token !== false && $id_employee !== false) {
+ $this->context->smarty->assign('reset_token', $reset_token);
+ $this->context->smarty->assign('id_employee', $id_employee);
+ $employee = new Employee((int) $id_employee);
+ if (Validate::isLoadedObject($employee)) {
+ $valid_reset_token = $employee->getValidResetPasswordToken();
+ if ($valid_reset_token !== false && hash_equals($valid_reset_token, (string) $reset_token)) {
+ $this->context->smarty->assign('reset_email', $employee->email);
+ }
+ }
+ }
Upstream fix is included in PrestaShop 8.2.3.
Other recommendations
- Enforce rate limiting on the password reset endpoint.
- Install a security module that enable 2FA for BackOffice login.
- Keep your Back Office URL secret and rotate it if leaked.
- Keep your PrestaShop up to date
References
- Upstream fix (commit inside 8.2.3 bump PR):
https://github.com/PrestaShop/PrestaShop/pull/39479/commits/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb - PrestaShop repository: https://github.com/PrestaShop/PrestaShop
- PrestaShop security advisory: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8xx5-h6m3-jr33
- CVE record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-51586
- Original author advisory: https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md
Timeline
| Date (YYYY-MM-DD) | Action |
|---|---|
| 2025-05-17 | Vulnerability reported to PrestaShop |
| 2025-05-19 | Acknowledgement of report by PrestaShop |
| 2025-05-19 | CVE request to MITRE |
| 2025-08-12 | CVE-2025-51586 reserved by MITRE |
| 2025-08-18 | PrestaShop confirmation for planning a fix |
| 2025-08-28 | Fix committed upstream (part of 8.2.3 bump) |
| 2025-09-01 | 8.2.3 bump PR merged |
| 2025-09-04 | PrestaShop advisory released |
| 2025-09-04 | Discoverer advisory released (this advisory) |
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
