cbcvebase.
CVE-2020-15244
published 2020-10-21

CVE-2020-15244: In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger…

PriorityP339high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.25%
65.6th percentile
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.

Affected

6 ranges
VendorProductVersion rangeFixed in
openmagemagento<= 19.4.8
openmagemagento>= 20.0.0 < 20.0.420.0.4
openmagemagento-lts< 19.4.819.4.8
openmagemagento-lts
openmagemagento-lts>= 0 < 19.4.819.4.8
openmagemagento-lts>= 20.0.0 < 20.0.420.0.4

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.