VYPR
High severityNVD Advisory· Published Sep 11, 2023· Updated Sep 26, 2024

Magento LTS's guest order "protect code" can be brute-forced too easily

CVE-2023-41879

Description

Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
openmage/magento-ltsPackagist
< 19.5.119.5.1
openmage/magento-ltsPackagist
>= 20.0.0, < 20.1.120.1.1

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.