Magento 1.x patch for CVE-2020-15244 was released on October 20, 2020 to close Remote Code Execution via PHP Object injection in SOAP Requests.
The patch is included in OpenMage v19.4.8.
All earlier versions, including all Magento versions should be patched or upgraded to close CVE-2020-15244 vulnerability.
The patch is as follows:
diff --git a/app/code/core/Mage/Catalog/Model/Product/Attribute/Api.php b/app/code/core/Mage/Catalog/Model/Product/Attribute/Api.php
index cf813a83cb..bfbddaad7f 100644
--- app/code/core/Mage/Catalog/Model/Product/Attribute/Api.php
+++ app/code/core/Mage/Catalog/Model/Product/Attribute/Api.php
@@ -236,6 +236,10 @@ public function remove($attribute)
$this->_fault('can_not_delete');
}
+ if (!$model->getIsUserDefined()) {
+ $this->_fault('can_not_delete');
+ }
+
try {
$model->delete();
return true;
diff --git a/app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php b/app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php
index 2e0aa1ffe7..02ccd87167 100644
--- app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php
+++ app/code/core/Mage/Catalog/Model/Resource/Product/Collection.php
@@ -542,7 +542,7 @@ protected function _afterLoad()
foreach ($this as $product) {
if ($product->isRecurring() && $profile = $product->getRecurringProfile()) {
- $product->setRecurringProfile(unserialize($profile));
+ $product->setRecurringProfile(Mage::helper('core/unserializeArray')->unserialize($profile));
}
}