CVE-2023-23617

low-risk
Published 2023-01-28

OpenMage LTS is an e-commerce platform. Versions prior to 19.4.22 and 20.0.19 contain an infinite loop in malicious code filter in certain conditions. Versions 19.4.22 and 20.0.19 have a fix for this issue. There are no known workarounds.

Do I need to act?

-
0.27% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Magento

Affected Vendors

Openmage

References (8)

Patch https://github.com/OpenMage/magento-lts/commit/494027785bdb7db53e60c11ef03c144b6...
Release Notes https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22
Release Notes https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19
Third Party Advisory https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3p73-mm7v-4f6m
Patch https://github.com/OpenMage/magento-lts/commit/494027785bdb7db53e60c11ef03c144b6...
Release Notes https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22
Release Notes https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19
Third Party Advisory https://github.com/OpenMage/magento-lts/security/advisories/GHSA-3p73-mm7v-4f6m
26
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal