CVE-2020-15151 — Observable Discrepancy in Magento-lts

CWE-203 — Observable Discrepancy CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

8.0HIGHNVD

GHSA4.2OSV4.2

EPSS

0.1%

top 74.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openmage Magento-lts Openmage Long Term Support Magento

Timeline

Latest updateAug 19

PublishedAug 20

Description

OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.8

Affected Packages4 packages

▶CVEListV5openmage/magento-lts< 19.4.6"+1

▶Packagistopenmage/magento-lts20.0.0 — 20.0.2+1

▶NVDopenmage/openmage_long_term_support20.0.0 — 20.0.2+1

▶NVDmagento/magento2.3.5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Observable Timing Discrepancy in OpenMage LTS↗2020-08-19

▶

CVEList

Observable Timing Discrepancy in OpenMage LTS↗2020-08-19

▶

OSV

Observable Timing Discrepancy in OpenMage LTS↗2020-08-19

▶