PrestaShop 8.1.5 Anonymous Invoice Download via Secure_Key (Fixed in 8.1.6)
CVE-2024-34717 Published on May 14, 2024
Anonymous PrestaShop customer can download other customers' invoices
PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.
Vulnerability Analysis
CVE-2024-34717 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2024-34717 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2024-34717
Want to know whenever a new CVE is published for PrestaShop? stack.watch will email you.
Affected Versions
PrestaShop:- Version = 8.1.5 is affected.
- Version 8.1.0 and below 8.1.6 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-34717
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | prestashop/prestashop | = 8.1.5 | 8.1.6 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.