GHSA-h5gm-x9wr-vhcm
Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass
Details
### Summary
The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.
### Details
When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.
**Vulnerable Code** <img width="864" height="90" alt="resim" src="https://github.com/user-attachments/assets/a5197f10-f1fd-4331-93f9-9479d0ceebba" />
<img width="881" height="272" alt="resim" src="https://github.com/user-attachments/assets/d9db963f-5d1f-4b00-a4b4-5f2dfe2b71dd" />
<img width="861" height="271" alt="resim" src="https://github.com/user-attachments/assets/f7842493-3bc0-4e99-956c-7266bab15703" />
### PoC Complete instructions, including specific configuration details, to reproduce the vulnerability.
<img width="909" height="171" alt="resim" src="https://github.com/user-attachments/assets/cfc8c994-5e0c-48de-b728-464029beba0e" />
### Impact An attacker can enumerate all coupon codes through automated requests.
**Remediation** Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.
Are you affected?
Enter the version of the package you're using.
Affected packages
5.0.0 Fixed in: 5.6.5 composer require craftcms/commerce:^5.6.5 4.0.0 Fixed in: 4.11.2 composer require craftcms/commerce:^4.11.2