CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-15244 – RCE in Magento
https://notcve.org/view.php?id=CVE-2020-15244
21 Oct 2020 — In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4. En Magento (paquete rubygems openmage/magento-lts) versiones anteriores a 19.4.8 y 20.0.4, un usuario administrador puede generar credenciales soap que pueden ser usadas para activar una RCE por medio de la inyección de objetos PHP... • https://github.com/OpenMage/magento-lts • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •