logo

Database

User enumeration In prestashop/prestashop

Description

Presta Shop vulnerable to email enumeration

Impact

An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses.

Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.

Patches

PrestaShop 8.2.3

Workarounds

You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-515862. NVD-2025-515863. OSV-2025-515864. GHSA-8xx5-h6m3-jr335. GCVE-2025-51586

References

1. https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8xx5-h6m3-jr332. https://github.com/PrestaShop/PrestaShop/commit/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb3. https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release4. https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.15. https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.36. https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md7. https://prestashop.com8. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-51586.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.