CVE-2023-41879

Name of the Vulnerable Software and Affected Versions Magento LTS versions prior to 19.5.1 Magento LTS versions prior to 20.1.1

Description The issue concerns the "guest-view" cookie in Magento LTS, which contains a 6 hexadecimal character protect code. This code is not sufficient to prevent brute-force attacks, allowing unauthorized access to guest orders. Each order would require a separate brute force attack to expose. The German Federal Office for Information Security found this flaw through a commissioned pen test, noting that the web application accepts certain requests without strong authentication if the person making the request has non-public but easily guessed data. Implementing rate-limiting at the web server, such as a strict rate limit for the specific route (sales/guest/view/), can help mitigate the issue.

Recommendations For versions prior to 19.5.1, update to version 19.5.1 or later to resolve the issue. For versions prior to 20.1.1, update to version 20.1.1 or later to resolve the issue. As a temporary workaround, consider implementing rate-limiting at the web server, specifically for the route (sales/guest/view/), to minimize the risk of exploitation.