Vulnerabilities > CVE-2023-41879 - Unspecified vulnerability in Openmage Magento
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.
Vulnerable Configurations
References
- https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128
- https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128
- https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877
- https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877
- https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1
- https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1
- https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1
- https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp