CVE-2020-15151 — Observable Timing Discrepancy in OpenMage LTS

Description

OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the `fromkey protection` in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.

How to fix CVE-2020-15151

To remediate CVE-2020-15151, upgrade the affected package to a fixed version below.

—upgrade to 2.3.6 or later
—upgrade to 19.4.6 or later

Is CVE-2020-15151 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.3.6
from 0, < 19.4.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-15151
PATCHgithub.com/OpenMage/magento-lts
WEBgithub.com/OpenMage/magento-lts/commit/7c526bc6a6a51b57a1bab4c60f104dc36cde347a
WEBgithub.com/OpenMage/magento-lts/security/advisories/GHSA-crf2-xm6x-46p6