CVE-2023-41879 HIGH

CVE-2023-41879: Magento LTS's guest order "protect code" can be brute-forced too easily

Vendor Openmage

Product magento-lts

Weakness CWE-330 · Insufficient randomness

Published September 11, 2023

Last update September 26, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.

Key dates

Disclosure timeline

September 11, 2023 CVE published

September 26, 2024 Record updated

Identifiers

CVE CVE-2023-41879

CWE CWE-330

CVSS 7.5 / HIGH

Affected versions

Vendor Openmage

Product magento-lts

Affected <= 19.5.0

Vendor Openmage

Product magento-lts

Affected >= 20.0.0, <= 20.1.0