Executive Summary

CVE-2025-51586 is a user enumeration vulnerability in PrestaShop's AdminLogin controller affecting versions 1.7 through 8.2.2. Attackers can manipulate the `id_employee` and `reset_token` parameters on the Back Office password reset form to obtain administrator email addresses. When an invalid reset token is supplied with a valid employee ID, the system still displays the password reset form and includes the employee's email in a hidden field, allowing attackers to systematically enumerate admin emails by iterating employee IDs. The root cause is that the reset form variables are assigned without verifying the validity of the reset token for the employee. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow remote attackers to gain sensitive information, specifically administrator email addresses, without any privileges or user interaction. Knowing these email addresses can facilitate targeted attacks such as phishing or brute force attempts against administrator accounts. Although the vulnerability does not directly allow account takeover, it exposes private information that can be leveraged in further attacks. The attack has high complexity and cannot be reliably blocked by common WAF rules. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability exposes sensitive personal information (administrator email addresses) without proper authorization, which could be considered a violation of data protection principles under regulations like GDPR and HIPAA. Unauthorized disclosure of personal data may lead to non-compliance with these standards, potentially resulting in legal and regulatory consequences. Therefore, this vulnerability negatively impacts compliance with common data protection regulations. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to enumerate administrator email addresses via the Back Office password reset form. An attacker can send requests to the reset password endpoint manipulating the `id_employee` and `reset_token` parameters. Specifically, by supplying a valid `id_employee` with an invalid `reset_token`, the response includes the administrator's email address in a hidden field. To detect this on your system, you can monitor HTTP requests to the Back Office password reset URL for unusual or repeated attempts with varying `id_employee` values. There are no specific commands provided, but you could use tools like curl or Burp Suite to manually test the endpoint by iterating `id_employee` values with invalid tokens and inspecting the response for email disclosure. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Enforce rate limiting on the password reset endpoint to reduce the feasibility of enumeration attacks. 2) Enable two-factor authentication (2FA) for Back Office login to add an additional security layer. 3) Keep the Back Office URL secret and rotate it if it has been leaked. 4) Update PrestaShop to version 8.2.3 or later, where the vulnerability is fixed by verifying the reset token before rendering the reset form and email field. Note that common WAF rules are not reliable against this vulnerability as it stems from application logic. [1]

Useful 0 Not Useful 0