Skip to content

Observable Timing Discrepancy

High
Flyingmana published GHSA-crf2-xm6x-46p6 Aug 18, 2020

Package

composer openmage/magento-lts (Composer)

Affected versions

< 19.4.6, 20 < 20.0.2

Patched versions

19.4.6, 20.0.2

Description

Impact

This vulnerability allows to circumvent the formkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks

Patches

The latest OpenMage Versions up from 19.4.6 and 20.0.2 have this Issue solved

References

Related to Adobes CVE-2020-9690 ( https://helpx.adobe.com/security/products/magento/apsb20-47.html )
fixed in Magento2 magento/magento2@52d72b8
as part of 2.4.0/2.3.5-p2

Severity

High

CVE ID

CVE-2020-15151

Weaknesses

No CWEs