CVE-2023-41879
HIGHOpenMage Magento < 19.5.1 - Unauthenticated Order Access via Weak Protect Code
Title source: llmDescription
Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.
References (5)
Core 5
Core References
Release Notes x_refsource_misc
https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp
Patch x_refsource_misc
https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128
Patch x_refsource_misc
https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877
Release Notes x_refsource_misc
https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1
Scores
CVSS v3
7.5
EPSS
0.0082
EPSS Percentile
52.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-330
Status
published
Products (2)
openmage/magento
< 19.5.1
openmage/magento-lts
0 - 19.5.1Packagist
Published
Sep 11, 2023
Tracked Since
Feb 18, 2026