Magento 1.x versions have observable timing discrepancy vulnerability (CVE-2020-9690). Successful exploitation could lead to signature verification bypass. This vulnerability allows to circumvent the formkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks.
The vulnerability is fixed in APSB20-47 patch for M1.x adopted from corresponding patch for Magento2 versions. OpenMage v19.4.6 and 20.0.2 have this vulnerability fixed as well.
Solution
Upgrade to OpenMage v19.4.6 or install this patch for M1.x to protect your store from this vulnerability.Magento version | SUPEE-APSB20-47 | MD5 checksum |
---|---|---|
Magento CE 1.9.4.0-1.9.4.5 | SUPEE-11346 1.9.4.5 | 8be29901c03e24337969a0e6ed3e1c09 |
OpenMage v19.4.3 | upgrade to v19.4.6 or newer | |
OpenMage v19.4.6 | the patch is already included |