cbcvebase.
CVE-2023-41879
published 2023-09-11

CVE-2023-41879: Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's…

PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.82%
52.7th percentile
Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.

Affected

6 ranges
VendorProductVersion rangeFixed in
openmagemagento< 19.5.119.5.1
openmagemagento>= 20.0.0 < 20.1.120.1.1
openmagemagento-lts<= 19.5.0
openmagemagento-lts
openmagemagento-lts>= 0 < 19.5.119.5.1
openmagemagento-lts>= 20.0.0 < 20.1.120.1.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.