Observable Timing Discrepancy in OpenMage LTS
CVE-2020-15151

8HIGH

Key Information:

Vendor: Openmage
Status: Magento-lts
Vendor: CVE Published:; 20 August 2020

🔔 Create Openmage Vulnerability Alert

What is CVE-2020-15151?

OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.

Affected Version(s)

magento-lts < 19.4.6" < 19.4.6"

magento-lts >= 20.0.0, < 20.0.2 < 20.0.0, 20.0.2

References

https://github.com/OpenMage/magento-lts/security/advisori...

x_refsource_CONFIRM

https://helpx.adobe.com/security/products/magento/apsb20-...

x_refsource_MISC

https://github.com/OpenMage/magento-lts/commit/7c526bc6a6...

x_refsource_MISC

CVSS V3.1

Score:

8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2020
Vulnerability Reserved
Jun 25, 2020

CVE-2020-15151 Data

.