Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| openmage/magento-lts(Packagist) | 0 | 19.5.1 | N/A |
| openmage/magento-lts(Packagist) | 20.0.0 | 20.1.1 | N/A |
CVSS Metrics
