Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.
Patched in 8.1.6
Upgrade to 8.1.6
Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.
CPE | Name | Operator | Version |
---|---|---|---|
prestashop/prestashop | eq | 8.1.5 |