CVE-2024-34717 — Anonymous PrestaShop customer can download other customers' invoices

Description

### Impact Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. ### Patches Patched in 8.1.6 ### Workarounds Upgrade to 8.1.6 Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.

How to fix CVE-2024-34717

To remediate CVE-2024-34717, upgrade the affected package to a fixed version below.

—upgrade to 8.1.6 or later
—upgrade to 8.1.6 or later

Is CVE-2024-34717 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 8.1.5, < 8.1.6
>= 8.1.5, < 8.1.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-34717
PATCHgithub.com/PrestaShop/PrestaShop
WEBgithub.com/PrestaShop/PrestaShop/commit/46b9a2b430dd2008ac061fbcbae9f7af55a7920a
WEBgithub.com/PrestaShop/PrestaShop/releases/tag/8.1.6