CVE-1999-0605 is a medium-severity vulnerability affecting versions 1.0 and 1.2 of the Order Form shopping cart CGI program developed by Austin Contract Computing. The vulnerability arises from an incorrect configuration in the Order Form 1.0 and 1.2 CGI-based shopping cart software that can lead to the disclosure of private information. Specifically, this misconfiguration allows unauthorized remote attackers to access sensitive data that should otherwise be protected. The vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to an unauthorized actor. The CVSS v2 base score is 5.0, indicating a medium severity level, with the vector AV:N/AC:L/Au:N/C:P/I:N/A:N. This means the vulnerability is remotely exploitable over the network without requiring authentication, has low attack complexity, and impacts confidentiality but not integrity or availability. No patches are currently available for this vulnerability, and there are no known exploits in the wild. The affected product is a legacy CGI-based e-commerce solution, which was more commonly used in the late 1990s and early 2000s. The vulnerability primarily concerns the incorrect configuration rather than a software bug, suggesting that proper setup and hardening could mitigate the risk. Given the age of the software and the lack of patch availability, organizations still running this software are at risk of sensitive data leakage if the configuration is not corrected.

For European organizations, the impact of this vulnerability could be significant if they continue to operate legacy e-commerce systems using Order Form 1.0 or 1.2. The unauthorized disclosure of private information could lead to breaches of customer data, including personally identifiable information (PII), payment details, or order information. This could result in reputational damage, regulatory penalties under GDPR for failing to protect personal data, and potential financial losses from fraud or remediation costs. Although the vulnerability does not affect system integrity or availability, the confidentiality breach alone is critical in the context of European data protection laws. Organizations in sectors such as retail, e-commerce, and any business handling customer orders online are particularly at risk. The lack of patches means that mitigation relies heavily on configuration management and possibly migrating to modern, supported e-commerce platforms. Additionally, attackers exploiting this vulnerability do not require authentication, increasing the risk of opportunistic attacks from external threat actors.

Given that no official patches are available, European organizations should take immediate steps to mitigate this vulnerability by: 1) Conducting a thorough audit of any legacy Order Form 1.0 or 1.2 installations to verify configuration settings and ensure that sensitive information is not exposed via the CGI interface. 2) Restricting access to the affected CGI scripts through network-level controls such as firewalls or web application firewalls (WAFs) to limit exposure to trusted internal networks or authenticated users only. 3) Implementing strict access controls and monitoring on web servers hosting the vulnerable software to detect and respond to any unauthorized access attempts. 4) Considering the complete decommissioning or replacement of the Order Form CGI shopping cart with modern, actively maintained e-commerce solutions that comply with current security standards. 5) Applying web server hardening best practices, including disabling directory listings, restricting file permissions, and ensuring that error messages do not leak sensitive information. 6) Educating IT and security teams about the risks of legacy software and the importance of configuration management to prevent similar vulnerabilities.