CVE-2025-51586 Scanner

PrestaShop is an open-source e-commerce platform used by small and medium-sized businesses to manage their online stores. Developed by a community and backed by a business entity, it provides merchants with templates and modules to easily launch and manage a full-featured online store. PrestaShop is prevalent among online retailers who wish to customize and scale their store without significant financial investment. It is typically hosted on a web server and requires a database to store data. Online businesses across various sectors leverage PrestaShop for its extensive customization capabilities. The platform's reliance on third-party modules occasionally exposes users to additional security risks.

The Information Disclosure vulnerability in PrestaShop involves an unauthenticated user being able to enumerate user email addresses. This vulnerability arises from improper handling of the id_employee and reset_token parameters, whereby an attacker can trigger the password reset function to reveal email addresses in a hidden HTML field. The exploitation does not require authentic credentials, making it a potential risk for the exposure of sensitive administrator details. This issue predominantly affects earlier versions before the security patch in version 8.2.3. Prompt upgrading and patching are essential to mitigate exploitation attempts. When left unaddressed, it could lead to potential phishing attacks or unauthorized access attempts.

The technical specifics of the vulnerability lie in the AdminLogin controller, which mishandles the reset_token parameter in its password reset functionality. Attackers can exploit this by accessing the back-office login interface and manipulating the id_employee and reset_token parameters without requiring valid credentials. When the parameter is improperly validated, the form reveals the associated administrator user email address within a hidden HTML field. This vulnerability is rectified by validating reset_token correctly. Ensuring the upgrading to version 8.2.3 or later significantly mitigates this threat by implementing proper input validations and not revealing sensitive information through the interface.

The potential effects of exploiting this vulnerability include unauthorized access to administrator email addresses, which could further lead to phishing attacks or coordinated social engineering attempts. Email disclosure increases the risk of account compromise through spear-phishing tactics. Attackers may attempt to reset or gain control over administrator accounts by exploiting knowledge of these email addresses. Furthermore, email disclosure can potentially compromise other services if users employ the same credentials across platforms, leading to a cascade of unauthorized access incidents. Preventative measures through applying patches and enforcing least privilege access to sensitive URLs are advised.

REFERENCES

• https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md
• https://security.friendsofpresta.org/core/2025/09/04/CVE-2025-51586.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-51586