CVE-2021-21395 — Cross-Site Request Forgery in Magento-lts

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

4.3MEDIUMNVD

CNA4.2

EPSS

0.1%

top 74.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openmage Magento-lts Openmage Magento

Timeline

PublishedJan 27

Description

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDopenmage/magento20.0.0 — 20.0.19+1

▶CVEListV5openmage/magento-lts< 19.4.22+1

▶Packagistopenmage/magento-lts20.0.0 — 20.0.19+1

🔴Vulnerability Details

CVEList

Magneto-lts vulnerable to Cross-Site Request Forgery↗2023-01-27

▶

GHSA

magento-lts Reset Password not protected against well-timed CSRF↗2023-01-26

▶

OSV

magento-lts Reset Password not protected against well-timed CSRF↗2023-01-26

▶