CVE-2024-34717 MEDIUM

CVE-2024-34717: Anonymous PrestaShop customer can download other customers' invoices

Vendor Prestashop
Product PrestaShop
Weakness CWE-200 · Info exposure
Published May 14, 2024
Last update August 2, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.

Key dates

02Disclosure timeline

May 14, 2024 CVE published
August 2, 2024 Record updated