GHSA-h5gm-x9wr-vhcmMedium
Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass
🔗 CVE IDs covered (1)
📋 Description
Summary
The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.
Details
When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.
Vulnerable Code
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
An attacker can enumerate all coupon codes through automated requests.
Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.
🎯 Affected products2
- composer/craftcms/commerce:>= 5.0.0, <= 5.6.4
- composer/craftcms/commerce:>= 4.0.0, <= 4.11.1