|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: PrestaShop 8.2.3 is available |
| 4 | +subtitle: Security patch for branch 8.2.x is available |
| 5 | +date: 2025-09-04 |
| 6 | +authors: [ PrestaShop ] |
| 7 | +image: /assets/images/2025/09/banner_8.2.3_1200x627.jpg |
| 8 | +opengraph_image: /assets/images/2025/09/banner_8.2.3_1200x627.jpg |
| 9 | +twitter_image: /assets/images/2025/09/banner_8.2.3_1024x512.jpg |
| 10 | +tags: |
| 11 | +- version |
| 12 | +- patch |
| 13 | +- releases |
| 14 | +- security |
| 15 | +- "8.2" |
| 16 | +- "8.2.x" |
| 17 | +--- |
| 18 | + |
| 19 | +PrestaShop 8.2.3 is available. It is a security‑driven patch release for the 8.2 branch. Its primary goal is to address an email enumeration vulnerability in the back office password reset feature. A handful of low-risk improvements and bug fixes that have already been validated have also been included. |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | +## Why this release now? |
| 24 | + |
| 25 | +PrestaShop 8.2 is in the extended support phase, so only security and critical fixes are shipped. Over the past days, we observed (via community reports and partners) automated probes abusing the back office password reset page to enumerate employee emails. This led us to plan a security release for branch `8.2.x`. |
| 26 | + |
| 27 | +## Details of the vulnerability |
| 28 | + |
| 29 | +An unauthenticated attacker could abuse the password reset page by crafting `id_employee` and `reset_token` parameters to discover which employee accounts exist (email enumeration). Exploitation requires the attacker to already know (or have guessed/discovered) your back office URL. Hiding or customizing this URL can reduce noise from opportunistic scans, but it must not be treated as a sufficient mitigation. |
| 30 | + |
| 31 | +Update to 8.2.3 or apply the manual patch below. Full details are available in the official advisory: [GHSA-8xx5-h6m3-jr33](https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8xx5-h6m3-jr33). |
| 32 | + |
| 33 | +**PrestaShop 9 is not affected.** |
| 34 | + |
| 35 | +## Update to PrestaShop 8.2.3 |
| 36 | + |
| 37 | +It is recommended to update to version 8.2.3 as soon as possible. The [Update Assistant](https://github.com/PrestaShop/autoupgrade/releases/) makes the update process mostly point-and-click: enable maintenance mode, run the update, review logs, test, and then reopen your store. |
| 38 | + |
| 39 | +{{% notice %}} |
| 40 | +If you're on PrestaShop 8 with PHP 8, updating to PrestaShop 8.2.3 requires either downgrading to PHP 7.4 (for the time of update) or selecting the Local archive option. This limitation is known and will be addressed in future versions of the Update Assistant. |
| 41 | +{{% /notice %}} |
| 42 | + |
| 43 | +## Download |
| 44 | +{{< cta "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.3" >}}Download PrestaShop 8.2.3 now!{{< /cta >}} |
| 45 | + |
| 46 | +## Possible workarounds |
| 47 | + |
| 48 | +Only updating to 8.2.3 (or applying the manual patch) fully fixes the issue. The steps below do not fix it, but they can lower the risk and reduce automated scan noise until you update: |
| 49 | + |
| 50 | +- Restrict network access to the back office (VPN, IP allow‑list, reverse proxy). |
| 51 | +- Add an extra HTTP authentication layer in front of the back office. |
| 52 | +- Customize/obfuscate the back office URL. |
| 53 | +- Add rate limiting or WAF rules for the password reset route and repeated requests with varying `id_employee`. |
| 54 | +- Monitor logs for bursts of `reset_token` / `id_employee` parameter combinations. |
| 55 | +- Enable 2FA for employee accounts (through a third-party module) to limit follow‑on impact. |
| 56 | + |
| 57 | +Remember: these steps reduce risk but do not replace updating or fixing the underlying issue. |
| 58 | + |
| 59 | +## PrestaShop 9 |
| 60 | + |
| 61 | +PrestaShop 9, built on a modern Symfony flow for authentication and password resets, is not affected by this issue. We encourage merchants to plan their migration to benefit from its hardened security architecture and ongoing feature development. |
| 62 | + |
| 63 | +Since (as noted in [PrestaShop 8.2.x enters the extended support phase]({{< relref "/news/posts/2025/82x-extended-support-phase" >}})) the 8.2.x branch receives only security and critical fixes now. You should begin planning your move to PrestaShop 9 to gain access to new features and its enhanced security architecture. |
| 64 | + |
| 65 | +## Manual patch instructions (advanced users) |
| 66 | + |
| 67 | +Upgrading to 8.2.3 is the safest approach, but if you cannot update immediately, you may patch manually: |
| 68 | + |
| 69 | +**Details of the fix** |
| 70 | + |
| 71 | +The patch ensures that: |
| 72 | +1. Both `reset_token` and `id_employee` must be present. |
| 73 | +2. The employee object must load successfully. |
| 74 | +3. The stored valid reset token retrieved via `Employee::getValidResetPasswordToken()` must match the provided token. |
| 75 | +4. Only then are the `reset_email`, `reset_token`, and `id_employee` values assigned to the template. Otherwise, nothing is revealed that confirms an association between an email and an employee. |
| 76 | + |
| 77 | +In simplified form, the corrected code now resembles: |
| 78 | + |
| 79 | +```php |
| 80 | +$reset_token = Tools::getValue('reset_token'); |
| 81 | +$id_employee = (int) Tools::getValue('id_employee'); |
| 82 | + |
| 83 | +if ($reset_token && $id_employee) { |
| 84 | + $employee = new Employee($id_employee); |
| 85 | + if (Validate::isLoadedObject($employee)) { |
| 86 | + $valid_reset_token = $employee->getValidResetPasswordToken(); |
| 87 | + if ($valid_reset_token !== false && $valid_reset_token === $reset_token) { |
| 88 | + $this->context->smarty->assign([ |
| 89 | + 'reset_token' => $reset_token, |
| 90 | + 'id_employee' => $id_employee, |
| 91 | + 'reset_email' => $employee->email, |
| 92 | + ]); |
| 93 | + } |
| 94 | + } |
| 95 | +} |
| 96 | +``` |
| 97 | + |
| 98 | +### How to patch manually |
| 99 | + |
| 100 | +1. Backup (files + database). |
| 101 | +2. Open `controllers/admin/AdminLoginController.php`. |
| 102 | +3. Find the block starting with `// For reset password feature` that assigns `id_employee` / `reset_email` before validating the token. |
| 103 | +4. Replace that entire block with the validated code sequence shown earlier. |
| 104 | +5. Test: request a password reset, use the emailed link, then try tampering with `id_employee` / `reset_token` to ensure no other email is revealed. |
| 105 | +6. (Only if you use opcode or external caching layers) clear OPcache, Varnish, CDN, or reverse proxy caches. Clearing Smarty cache alone is not required for this change. |
| 106 | + |
| 107 | +**If unsure, prefer a full update to 8.2.3.** |
| 108 | + |
| 109 | +## Acknowledgments |
| 110 | + |
| 111 | +We extend our sincere thanks to: |
| 112 | +* Maxime Morel-Bailly for responsibly reporting the vulnerability. |
| 113 | +* [@M0rgan01](https://github.com/M0rgan01) & [@matthieu-rolland](https://github.com/matthieu-rolland) for implementing the fix. |
| 114 | +* OpenServis and TouchWeb for alerting us about ongoing waves of enumeration attempts in the wild. |
| 115 | +* [@jolelievre](https://github.com/jolelievre) for the Distribution API Client improvement. |
| 116 | +* [@Codencode](https://github.com/Codencode), [@touxten](https://github.com/touxten) for their bug fix contributions included in this release. |
| 117 | + |
| 118 | +Your collaboration helps keep the ecosystem secure. |
| 119 | + |
0 commit comments