CVE-2020-15244

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-15244

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15244.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-15244

Aliases

GHSA-jrgf-vfw2-hj26

Related

GHSA-jrgf-vfw2-hj26

Published

2020-10-21T20:15:13.443Z

Modified

2026-02-13T02:03:44.743283Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.

References

Affected packages

Git / github.com/openmage/magento-lts

Affected ranges

Type: GIT
Repo: https://github.com/openmage/magento-lts
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

26433d15b57978fcb7701b5f99efe8332ca8630b

Introduced

16c8e84ddaf5d54eef1e025a241bdd5f9a60bd6f

Fixed

26433d15b57978fcb7701b5f99efe8332ca8630b

Affected versions

v19.*

v19.4.5

v19.4.6

v19.4.7

v20.*

v20.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15244.json"