CVE-2020-15151
published 2020-08-20CVE-2020-15151: OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface…
PriorityP335high8CVSS 3.1
AVNACHPRNUIRSCCHIHAN
EPSS
0.93%
56.2th percentile
OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magento | magento | <= 2.3.5 | — |
| openmage | magento-lts | < 19.4.6" | 19.4.6" |
| openmage | magento-lts | — | — |
| openmage | magento-lts | >= 0 < 19.4.6 | 19.4.6 |
| openmage | magento-lts | >= 20.0.0 < 20.0.2 | 20.0.2 |
| openmage | openmage_long_term_support | < 19.4.6 | 19.4.6 |
| openmage | openmage_long_term_support | >= 20.0.0 < 20.0.2 | 20.0.2 |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:N
ghsa4.2MEDIUM
osv4.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Observable Timing Discrepancy in OpenMage LTS
ghsa·2020-08-19·CVSS 4.2
CVE-2020-15151 [MEDIUM] CWE-203 Observable Timing Discrepancy in OpenMage LTS
Observable Timing Discrepancy in OpenMage LTS
### Impact
This vulnerability allows to circumvent the **formkey protection** in the Admin Interface and increases the attack surface for **Cross Site Request Forgery** attacks
### Patches
The latest OpenMage Versions up from 19.4.6 and 20.0.2 have this Issue solved
### References
Related to Adobes CVE-2020-9690 ( https://helpx.adobe.com/security/products/magento/apsb20-47.html )
fixed in Magento2 https://github.com/magento/magento2/commit/52d72b8010c9cecb5b8e3d98ec5edc1ddcc65fb4
as part of 2.4.0/2.3.5-p2
OSV
Observable Timing Discrepancy in OpenMage LTS
osv·2020-08-19·CVSS 4.2
CVE-2020-15151 [MEDIUM] Observable Timing Discrepancy in OpenMage LTS
Observable Timing Discrepancy in OpenMage LTS
### Impact
This vulnerability allows to circumvent the **formkey protection** in the Admin Interface and increases the attack surface for **Cross Site Request Forgery** attacks
### Patches
The latest OpenMage Versions up from 19.4.6 and 20.0.2 have this Issue solved
### References
Related to Adobes CVE-2020-9690 ( https://helpx.adobe.com/security/products/magento/apsb20-47.html )
fixed in Magento2 https://github.com/magento/magento2/commit/52d72b8010c9cecb5b8e3d98ec5edc1ddcc65fb4
as part of 2.4.0/2.3.5-p2
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OpenMage/magento-lts/commit/7c526bc6a6a51b57a1bab4c60f104dc36cde347ahttps://github.com/OpenMage/magento-lts/security/advisories/GHSA-crf2-xm6x-46p6https://helpx.adobe.com/security/products/magento/apsb20-47.htmlhttps://github.com/OpenMage/magento-lts/commit/7c526bc6a6a51b57a1bab4c60f104dc36cde347ahttps://github.com/OpenMage/magento-lts/security/advisories/GHSA-crf2-xm6x-46p6https://helpx.adobe.com/security/products/magento/apsb20-47.html
2020-08-20
Published