PrestaShop releases version 8.2.3: security patch against password reset vulnerabilities

PrestaShop has announced the availability of the new release 8.2.3, a security-focused update for the 8.2 series, which is currently under extended support.

The intervention became necessary after reports from the community and partners in recent days of automated attempts to exploit the back office password recovery page to enumerate employee email addresses.

The identified vulnerability

The issue concerned the possibility for an unauthenticated attacker to manipulate the id_employee and reset_token parameters in the password reset page. This way, it was possible to determine which accounts were present in the back office.
To exploit the flaw, the attacker needed to know or guess the back office URL, which is why many merchants had already reduced the risks by customizing this address. However, PrestaShop emphasizes that such a measure is not sufficient as a definitive protection.

The 8.2.3 update

The patch fixes the token validation process in the password reset function, preventing the disclosure of information useful to identify internal accounts.
In addition to the security fix, the update also includes some low-risk bug fixes and already-validated improvements.

Anyone using PrestaShop 8 is urged to update as soon as possible to version 8.2.3 via the Update Assistant, following the standard steps: enable maintenance mode, run the update, check the logs, and reopen the store.
Alternatively, it is possible to manually apply the patch by modifying the AdminLoginController.php file, but the recommended solution remains the full update.

Possible temporary workarounds

While waiting for the update, developers suggest some measures to reduce the risks:

• restrict access to the back office via VPN or IP whitelist,
• add an extra layer of HTTP authentication,
• customize the access URL,
• configure rate limiting or WAF rules for the password reset route,
• monitor logs to detect suspicious attempts,
• enable two-factor authentication with external modules.

PrestaShop 9 is not vulnerable

It is worth noting that PrestaShop 9, thanks to the new Symfony-based architecture for authentication and password reset, is not affected by this vulnerability. The project roadmap already encourages merchants to plan the migration to the new major release, which will offer greater security and new features.

The release of version 8.2.3 represents a crucial step in keeping online stores that still rely on the 8.2.x series secure.
PrestaShop reiterates the importance of performing the update immediately, reminding that any delay can expose merchants to concrete risks.

For less experienced users, we remind you that Prestalia is available to support you with dedicated interventions related to your PrestaShop installation. A dedicated service is also available for PrestaShop updates, which allows you to keep your installation up to date with the latest stable version.