Skip to content

Commit a363996

Browse files
carlospolopcarlospolop
authored
Merge pull request #1729 from HackTricks-wiki/update_CVE-2025-61922__Zero-Click_Account_Takeover_on_Pre_20260103_012238
CVE-2025-61922 Zero-Click Account Takeover on Prestashop
2 parents 27a3f2a + 27480fb commit a363996

1 file changed

Lines changed: 28 additions & 2 deletions

File tree

src/network-services-pentesting/pentesting-web/prestashop.md

Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,36 @@
44

55
## From XSS to RCE
66

7-
- [**PrestaXSRF**](https://github.com/nowak0x01/PrestaXSRF): PrestaShop Exploitation Script that elevate **XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **provides support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:**
7+
- [**PrestaXSRF**](https://github.com/nowak0x01/PrestaXSRF): PrestaShop Exploitation Script that elevate **XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:**
88
- _**(RCE) PSUploadModule(); - Upload a custom Module:**_ Upload a Persistent Module (backdoor) to PrestaShop.
99

10-
{{#include ../../banners/hacktricks-training.md}}
10+
## ps_checkout ExpressCheckout silent login account takeover (CVE-2025-61922)
11+
12+
> Missing identity validation in the `ps_checkout` module `< 5.0.5` lets an unauthenticated attacker **switch the session to any customer by supplying their email**.
13+
14+
- **Endpoint (unauth):** `POST /module/ps_checkout/ExpressCheckout`.
15+
- **Flow:** `ExpressCheckout.php` accepts attacker JSON, only checks `orderID`, builds `ExpressCheckoutRequest` and calls `ExpressCheckoutAction::execute()`.
16+
- **Auth bug:** In vulnerable versions `ExpressCheckoutAction` calls `CustomerAuthenticationAction::execute()` when no user is logged in. That method simply does `customerExists(<payer_email>)` and `context->updateCustomer(new Customer($id))`, so **email existence == login** (no password/token check).
17+
- **Attacker-controlled email field:** `order.payer.email_address` inside the JSON payload is read by `ExpressCheckoutRequest::getPayerEmail()`.
18+
19+
### Exploitation steps
1120

21+
1. Collect any registered customer email (admin is separate and not affected by this flow).
22+
2. Send an unauthenticated POST to the controller with `orderID` plus the victim email in `order.payer.email_address`.
23+
3. Even if the endpoint returns `500`, the response will include cookies for the victim’s customer context (session already switched), enabling PII access or purchasing with saved cards.
1224

25+
```http
26+
POST /module/ps_checkout/ExpressCheckout HTTP/1.1
27+
Host: `<target>`
28+
Content-Type: application/json
29+
Content-Length: 72
1330
31+
{"orderID":"1","order":{"payer":{"email_address":"victim@example.com"}}}
32+
```
33+
34+
## References
35+
36+
- [CVE-2025-61922: Zero-Click Account Takeover on Prestashop (blog)](https://dhakal-ananda.com.np/blogs/cve-2025-61922-analysis/)
37+
- [GitHub Advisory GHSA-54hq-mf6h-48xh](https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh)
38+
39+
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)