High severityNVD Advisory· Published Oct 21, 2020· Updated Aug 4, 2024
RCE in Magento
CVE-2020-15244
Description
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.8 | 19.4.8 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.4 | 20.0.4 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-jrgf-vfw2-hj26ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15244ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/26433d15b57978fcb7701b5f99efe8332ca8630bghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-jrgf-vfw2-hj26ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.