5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-34717

GHSA ID

GHSA-7pjr-2rgh-fc5g

EPSS Score

0.59088%

CWE

CWE-200

Published

5/14/2024

Updated

5/14/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-34717

CVE-2024-34717: Anonymous PrestaShop customer can download other customers' invoices

Impact

Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.

Patches

Patched in 8.1.6

Workarounds

Upgrade to 8.1.6

Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-34717

CVE-2024-34717:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-34717

GHSA ID

GHSA-7pjr-2rgh-fc5g

EPSS Score

0.59088%

CWE

CWE-200

Published

5/14/2024

Updated

5/14/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
prestashop/prestashop	composer	= 8.1.5	8.1.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper access control in the invoice download endpoint. The key evidence is in the commit diff showing the security check was restructured from a single flawed conditional (that could be bypassed with any secure_key) to two separate checks. The postProcess method in PdfInvoiceController.php directly handles authorization for invoice downloads and contained the insecure logic before patching. The function's role in processing PDF requests and the explicit security fix in this method confirm its vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-34717: Anonymous PrestaShop customer can download other customers' invoices

Impact

Patches

Workarounds

CVE-2024-34717:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

5.3

5.3

CVE-2024-34717: Anonymous PrestaShop customer can download other customers' invoices

Impact

Patches

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI