Magento LTS's guest order "protect code" can be brute-forced too easily
CVE-2023-41879

7.5HIGH

Key Information:

Vendor

Openmage

Status
Magento-lts
Vendor
CVE Published:
11 September 2023

What is CVE-2023-41879?

A vulnerability in OpenMage LTS allows unauthorized users to view guest orders without proper authentication. This is facilitated by the use of a 'guest-view' cookie containing a 'protect_code' that is only six hexadecimal characters long, making it susceptible to brute-force attacks. Each order access requires an individual brute-force attempt, increasing the risk of unauthorized access to sensitive order information. The issue has been addressed in updates 19.5.1 and 20.1.1.

Affected Version(s)

magento-lts <= 19.5.0 <= 19.5.0

magento-lts >= 20.0.0, <= 20.1.0 <= 20.0.0, 20.1.0

References

https://github.com/OpenMage/magento-lts/security/advisori...
x_refsource_CONFIRM
https://github.com/OpenMage/magento-lts/commit/2a2a2fb504...
x_refsource_MISC
https://github.com/OpenMage/magento-lts/commit/31e74ac5d6...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.