IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
[CVE-2025-51586] User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2
User enumeration vulnerability in the AdminLogin controller in PrestaShop 1.7 through 8.2.2 allows remote attackers to obtain administrators user email addresses via manipulation of the id_employee and reset_token parameters. An attacker who has access to the Back Office login URL can trigger the password reset form to disclose the associated email address in a hidden field, even when the provided reset token is invalid. This issue has been fixed in 8.2.3.
Summary
- CVE ID: CVE-2025-51586
- Published at: 2025-09-04
- Platform: PrestaShop (Core)
- Impacted release: from 1.7 to 8.2.2 - fixed in 8.2.3
- Product author: PrestaShop
- Weakness: CWE-359 – Exposure of Private Information (‘Privacy Violation’)
- Severity: Moderate.
- CVSS v3.1 base score: 4.2 (as assessed in the PrestaShop advisory)
- Based on the criteria applied in this advisory: 3.7 (Low) (see vector string below)
Root cause (before fix): the template variables for the reset form were assigned without first verifying that the reset_token matched the employee’s currently valid reset token (including validity window).
CVSS base metrics
- Attack vector: Network (AV:N)
- Attack complexity: High (AC:H)
- Privileges required: None (PR:N)
- User interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality: Low (C:L)
- Integrity: None (I:N)
- Availability: None (A:N)
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - 3.7 (Low)
Proof of concept
When an invalid reset_token is supplied together with a valid id_employee, the application still renders the password reset form and includes the employee’s email address in a hidden field. By incrementing or iterating through id_employee values, an attacker can systematically enumerate all Back Office user emails.
For security reasons, the full proof of concept request/response sequence is not fully disclosed here. The vulnerability cannot be reliably mitigated by common WAF rules, as the flaw resides in the application logic itself.
Patch
Based on editor patch: https://github.com/PrestaShop/PrestaShop/pull/39479/commits/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb
Minimal logic hardening (as merged upstream)
Only render the reset form (and especially reset_email) if both parameters are present and the token is valid for the selected employee:
- // For reset password feature
- if ($reset_token = Tools::getValue('reset_token')) {
- $this->context->smarty->assign('reset_token', $reset_token);
- }
- if ($id_employee = Tools::getValue('id_employee')) {
- $this->context->smarty->assign('id_employee', $id_employee);
- $employee = new Employee($id_employee);
- if (Validate::isLoadedObject($employee)) {
- $this->context->smarty->assign('reset_email', $employee->email);
- }
- }
+ // For reset password feature (safe: only when token is valid)
+ $reset_token = Tools::getValue('reset_token');
+ $id_employee = Tools::getValue('id_employee');
+ if ($reset_token !== false && $id_employee !== false) {
+ $this->context->smarty->assign('reset_token', $reset_token);
+ $this->context->smarty->assign('id_employee', $id_employee);
+ $employee = new Employee((int) $id_employee);
+ if (Validate::isLoadedObject($employee)) {
+ $valid_reset_token = $employee->getValidResetPasswordToken();
+ if ($valid_reset_token !== false && hash_equals($valid_reset_token, (string) $reset_token)) {
+ $this->context->smarty->assign('reset_email', $employee->email);
+ }
+ }
+ }
Upstream fix is included in PrestaShop 8.2.3.
Other recommendations
- Enforce rate limiting on the password reset endpoint.
- Install a security module that enable 2FA for BackOffice login.
- Keep your Back Office URL secret and rotate it if leaked.
- Keep your PrestaShop up to date
References
- Upstream fix (commit inside 8.2.3 bump PR):
https://github.com/PrestaShop/PrestaShop/pull/39479/commits/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb - PrestaShop repository: https://github.com/PrestaShop/PrestaShop
- PrestaShop security advisory: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8xx5-h6m3-jr33
- CVE record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-51586
- Original author advisory: https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md
Timeline
| Date (YYYY-MM-DD) | Action |
|---|---|
| 2025-05-17 | Vulnerability reported to PrestaShop |
| 2025-05-19 | Acknowledgement of report by PrestaShop |
| 2025-05-19 | CVE request to MITRE |
| 2025-08-12 | CVE-2025-51586 reserved by MITRE |
| 2025-08-18 | PrestaShop confirmation for planning a fix |
| 2025-08-28 | Fix committed upstream (part of 8.2.3 bump) |
| 2025-09-01 | 8.2.3 bump PR merged |
| 2025-09-04 | PrestaShop advisory released |
| 2025-09-04 | Discoverer advisory released (this advisory) |
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
