GHSA-H5GM-X9WR-VHCM

Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15
VLAI
Summary
Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass
Details

Summary

The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.

Details

When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.

Vulnerable Code resim

resim

resim

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

resim

Impact

An attacker can enumerate all coupon codes through automated requests.

Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.6.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.11.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:15:26Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe CartController defines a RateLimiter behavior that is only activated when the \u0027number\u0027 POST/GET parameter is explicitly provided.\n\n### Details\n\nWhen an attacker submits coupon codes against the session-based cart (without passing a \u0027number\u0027 parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.\n\n**Vulnerable Code**\n\u003cimg width=\"864\" height=\"90\" alt=\"resim\" src=\"https://github.com/user-attachments/assets/a5197f10-f1fd-4331-93f9-9479d0ceebba\" /\u003e\n\n\u003cimg width=\"881\" height=\"272\" alt=\"resim\" src=\"https://github.com/user-attachments/assets/d9db963f-5d1f-4b00-a4b4-5f2dfe2b71dd\" /\u003e\n\n\u003cimg width=\"861\" height=\"271\" alt=\"resim\" src=\"https://github.com/user-attachments/assets/f7842493-3bc0-4e99-956c-7266bab15703\" /\u003e\n\n### PoC\nComplete instructions, including specific configuration details, to reproduce the vulnerability.\n\n\u003cimg width=\"909\" height=\"171\" alt=\"resim\" src=\"https://github.com/user-attachments/assets/cfc8c994-5e0c-48de-b728-464029beba0e\" /\u003e\n\n### Impact\nAn attacker can enumerate all coupon codes through automated requests.\n\n**Remediation**\nApply rate limiting unconditionally on actionUpdateCart regardless of whether \u0027number\u0027 is present.",
  "id": "GHSA-h5gm-x9wr-vhcm",
  "modified": "2026-06-19T21:15:26Z",
  "published": "2026-06-19T21:15:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-h5gm-x9wr-vhcm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/df22c4f9c4ea7fb7857d833f755e49ea6f9f5bb5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…