What is CVE-2020-15244?

CVE-2020-15244 is a high-severity vulnerability in Openmage Magento-lts, classified under Deserialization of Untrusted Data. CVSS score: 8.0/10. Published 2020-10-21.

How severe is CVE-2020-15244?

High severity. CVSS v3 base score is 8.0 out of 10.

Deserialization in Openmage Magento-lts

CVE-2020-15244

In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue…

Vulnerability class: Insecure Deserialization

EPSS: 0.009 (75.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Openmage Magento-lts — versions < 19.4.8, >= 20.0.0, < 20.0.4

Weakness classification (CWE)

References

github.com/OpenMage/magento-lts/security/advisories/GHSA-jrgf-vfw2-hj26 (x_refsource_CONFIRM)
github.com/OpenMage/magento-lts/commit/26433d15b57978fcb7701b5f99efe8332ca8630b (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-15244?: CVE-2020-15244 is a high-severity vulnerability in Openmage Magento-lts, classified under Deserialization of Untrusted Data. CVSS score: 8.0/10. Published 2020-10-21.
How severe is CVE-2020-15244?: High severity. CVSS v3 base score is 8.0 out of 10.