GHSA-crf2-xm6x-46p6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-crf2-xm6x-46p6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-crf2-xm6x-46p6/GHSA-crf2-xm6x-46p6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-crf2-xm6x-46p6
- Aliases
- Published
- 2020-08-19T18:02:36Z
- Modified
- 2023-12-06T01:00:15.663771Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Observable Timing Discrepancy in OpenMage LTS
- Details
-
Impact
This vulnerability allows to circumvent the formkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks
Patches
The latest OpenMage Versions up from 19.4.6 and 20.0.2 have this Issue solved
References
Related to Adobes CVE-2020-9690 ( https://helpx.adobe.com/security/products/magento/apsb20-47.html ) fixed in Magento2 https://github.com/magento/magento2/commit/52d72b8010c9cecb5b8e3d98ec5edc1ddcc65fb4 as part of 2.4.0/2.3.5-p2
- Database specific
{ "nvd_published_at": "2020-08-20T01:17:00Z", "github_reviewed_at": "2020-08-19T18:02:10Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-203", "CWE-352" ] }- References
-
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-crf2-xm6x-46p6
- https://nvd.nist.gov/vuln/detail/CVE-2020-15151
- https://github.com/OpenMage/magento-lts/commit/7c526bc6a6a51b57a1bab4c60f104dc36cde347a
- https://github.com/OpenMage/magento-lts
- https://helpx.adobe.com/security/products/magento/apsb20-47.html
Affected packages
Packagist / openmage/magento-lts
Package
- Name
- openmage/magento-lts
- Purl
- pkg:composer/openmage/magento-lts
Packagist / openmage/magento-lts
Package
- Name
- openmage/magento-lts
- Purl
- pkg:composer/openmage/magento-lts