PT-2025-36611 — Side Channel Attack in Packagist Prestashop/Prestashop

PT-2025-36611 · Packagist · Prestashop/Prestashop

Published

2025-09-04

Updated

2025-09-04

CVSS v3.1

4.2

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Impact

An unauthenticated attacker with access to the back-office URL can manipulate the id employee and reset token parameters to enumerate valid back-office employee email addresses.

Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts.

Patches

PrestaShop 8.2.3

Workarounds

You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203CWE-359

Related Identifiers

GHSA-8XX5-H6M3-JR33

Affected Products

Prestashop/Prestashop