ghsa-crf2-xm6x-46p6
Vulnerability from github
Published
2020-08-19 18:02
Modified
2021-11-19 15:36
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Summary
Observable Timing Discrepancy in OpenMage LTS
Details

Impact

This vulnerability allows to circumvent the formkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks

Patches

The latest OpenMage Versions up from 19.4.6 and 20.0.2 have this Issue solved

References

Related to Adobes CVE-2020-9690 ( https://helpx.adobe.com/security/products/magento/apsb20-47.html ) fixed in Magento2 https://github.com/magento/magento2/commit/52d72b8010c9cecb5b8e3d98ec5edc1ddcc65fb4 as part of 2.4.0/2.3.5-p2

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "openmage/magento-lts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "19.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "openmage/magento-lts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0"
            },
            {
              "fixed": "20.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-19T18:02:10Z",
    "nvd_published_at": "2020-08-20T01:17:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThis vulnerability allows to circumvent the **formkey protection** in the Admin Interface and increases the attack surface for  **Cross Site Request Forgery** attacks \n\n### Patches\nThe latest OpenMage Versions up from 19.4.6 and 20.0.2 have this Issue solved\n\n\n### References\nRelated to Adobes CVE-2020-9690 ( https://helpx.adobe.com/security/products/magento/apsb20-47.html )\nfixed in Magento2 https://github.com/magento/magento2/commit/52d72b8010c9cecb5b8e3d98ec5edc1ddcc65fb4\nas part of 2.4.0/2.3.5-p2",
  "id": "GHSA-crf2-xm6x-46p6",
  "modified": "2021-11-19T15:36:13Z",
  "published": "2020-08-19T18:02:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-crf2-xm6x-46p6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15151"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/commit/7c526bc6a6a51b57a1bab4c60f104dc36cde347a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenMage/magento-lts"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb20-47.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Observable Timing Discrepancy in OpenMage LTS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.