CVE-2023-41879
published 2023-09-11CVE-2023-41879: Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.82%
52.7th percentile
Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmage | magento | < 19.5.1 | 19.5.1 |
| openmage | magento | >= 20.0.0 < 20.1.1 | 20.1.1 |
| openmage | magento-lts | <= 19.5.0 | — |
| openmage | magento-lts | — | — |
| openmage | magento-lts | >= 0 < 19.5.1 | 19.5.1 |
| openmage | magento-lts | >= 20.0.0 < 20.1.1 | 20.1.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Magento LTS's guest order "protect code" can be brute-forced too easily
osv·2023-09-11
CVE-2023-41879 [HIGH] Magento LTS's guest order "protect code" can be brute-forced too easily
Magento LTS's guest order "protect code" can be brute-forced too easily
# Impact
Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack.
# Patches
None.
# Workarounds
Implementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (`sales/guest/view/`) would effectively mitigate the issue.
# References
Email from Frank Rochlitzer ([email protected]) to [email protected]:
## Summary
The German Federal Office for Information Security (BSI) found th
GHSA
Magento LTS's guest order "protect code" can be brute-forced too easily
ghsa·2023-09-11
CVE-2023-41879 [HIGH] CWE-330 Magento LTS's guest order "protect code" can be brute-forced too easily
Magento LTS's guest order "protect code" can be brute-forced too easily
# Impact
Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack.
# Patches
None.
# Workarounds
Implementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (`sales/guest/view/`) would effectively mitigate the issue.
# References
Email from Frank Rochlitzer ([email protected]) to [email protected]:
## Summary
The German Federal Office for Information Security (BSI) found th
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qphttps://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp
2023-09-11
Published