Impact
Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.
Patches
Patched in 8.1.6
Workarounds
Upgrade to 8.1.6
Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.
Impact
Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.
Patches
Patched in 8.1.6
Workarounds
Upgrade to 8.1.6
Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.