CVE-2011-5240

Magento 1.5 and 1.6.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: Nov 6, 2012
Updated: Apr 13, 2023
CVE: CVE-2011-5240
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
magentocommerce / magento	1.6.2	1.6.2.x
magentocommerce / magento	1.5	1.5.x

http://www.unrest.ca/peerjacking

Vulnerability Database

289,782

CVE-2011-5240