Tag

Brute-Force Attack

1 brief RSS

OpenMage LTS Weak API Session ID Vulnerability Leads to Session Hijacking

OpenMage LTS version 20.16.0 and earlier has a critical vulnerability in the XML-RPC/SOAP API session ID generation, which uses a predictable MD5 hash of time-derived inputs, allowing attackers to brute-force and hijack active API sessions for data exfiltration, order fraud, and supply chain manipulation.

magento-lts session hijacking API vulnerability brute-force attack

2r 1t 2i Jan 9, 2024