CVE-2020-15244

Published: 2020-10-21T20:15Z

Last Modified: 2024-11-21T05:05Z

Source: MITRE CVE List

License: MITRE-CVE-TOS

In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt