CVE-2023-41879 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-41879

CVE-2023-41879

September 11, 2023

Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.

Related Resources (7)

https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877

https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128

https://nvd.nist.gov/vuln/detail/CVE-2023-41879

https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp

https://github.com/OpenMage/magento-lts

https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Use of Insufficiently Random Values

CWE-330

EPSS

Base Score:

0.10

Products

Solutions

Resources

Company

Compare

Developer Tools