Vulnerability Description
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openmage | Magento | <= 19.4.8 |
Related Weaknesses (CWE)
References
- https://github.com/OpenMage/magento-lts/commit/26433d15b57978fcb7701b5f99efe8332PatchVendor Advisory
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jrgf-vfw2-hj26Vendor Advisory
- https://github.com/OpenMage/magento-ltsVendor Advisory
- https://github.com/OpenMage/magento-lts/commit/26433d15b57978fcb7701b5f99efe8332PatchVendor Advisory
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jrgf-vfw2-hj26Vendor Advisory
FAQ
What is CVE-2020-15244?
CVE-2020-15244 is a vulnerability with a CVSS score of 8.0 (HIGH). In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through produ...
How severe is CVE-2020-15244?
CVE-2020-15244 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15244?
Check the references section above for vendor advisories and patch information. Affected products include: Openmage Magento.