Impact
Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.
Patches
Patched in 8.1.6
Workarounds
Upgrade to 8.1.6
Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.
matthieu-rolland Remediation developer
Impact
Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.
Patches
Patched in 8.1.6
Workarounds
Upgrade to 8.1.6
Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.