CVE-2025-61922 Zero-Click Account Takeover on Prestashop

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://dhakal-ananda.com.np/blogs/cve-2025-61922-analysis/
• Blog Title: CVE-2025-61922: Zero-Click Account Takeover on Prestashop
• Suggested Section: Network Services Pentesting -> 80,443 - Pentesting Web -> PrestaShop (add CVE-2025-61922 / ps_checkout ExpressCheckout silent-login account takeover) OR Pentesting Web -> Login Bypass / Account Takeover (pattern: 'login by email existence' via DTO fields)

🎯 Content Summary

Vulnerability: CVE-2025-61922 (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) in the PrestaShop module ps_checkout (PrestaShop Checkout) affects versions < 5.0.5. The blog shows this is a zero-click customer account takeover caused by missing validation in the Express Checkout flow that enables a silent login for an arbitrary customer if the attacker knows the victim’s email address.

Why this is critical (impact):...

🔧 Technical Details

1. Source-to-sink authentication bypass via DTO fields: When a controller accepts attacker-controlled JSON, wraps it into a request/DTO object, and only performs minimal checks (e.g., presence of an orderID), downstream action classes may treat other DTO fields as trusted. If any downstream logic uses those fields to decide authentication/identity, it can become an auth bypass.
   
   2) “Login by email existence” → account takeover: Any flow that does customerId = customerExists(email) (or similar lookup), then constructs an identity object (new Customer(customerId)) and calls a session/context switch primitive (e.g., context->updateCustomer(customer)) without verifying ownership of that email (password, signed token, IdP assertion, etc.) allows takeover of arbitrary accounts by supplying the victim’s email in a crafted request. Exploitation typically requires identifying the exact JSON/parameter path used (here: <...

🤖 Agent Actions

Summary:

• Expanded the PrestaShop page with the ps_checkout ExpressCheckout silent-login vulnerability (CVE-2025-61922), detailing the email-existence-based account takeover flow, attacker-controlled field, and impact.
• Added exploitation steps with a ready-to-use HTTP PoC payload and mitigation guidance highlighting the fixed behavior in v5.0.5.
• Included references to the original blog and GitHub advisory.

Tests: Not applicable (documentation update).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://dhakal-ananda.com.np/blogs/cve-2025-61922-analysis/

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 80,443 - Pentesting Web -> PrestaShop (add CVE-2025-61922 / ps_checkout ExpressCheckout silent-login account takeover) OR Pentesting Web -> Login Bypass / Account Takeover (pattern: 'login by email existence' via DTO fields)".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0