CVE-2021-21395
published 2023-01-27CVE-2021-21395: Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable…
PriorityP420medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.38%
30.1th percentile
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmage | magento | < 19.4.22 | 19.4.22 |
| openmage | magento | >= 20.0.0 < 20.0.19 | 20.0.19 |
| openmage | magento-lts | < 19.4.22 | 19.4.22 |
| openmage | magento-lts | — | — |
| openmage | magento-lts | >= 0 < 19.4.22 | 19.4.22 |
| openmage | magento-lts | >= 20.0.0 < 20.0.19 | 20.0.19 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
magento-lts Reset Password not protected against well-timed CSRF
ghsa·2023-01-26
CVE-2021-21395 [MEDIUM] CWE-352 magento-lts Reset Password not protected against well-timed CSRF
magento-lts Reset Password not protected against well-timed CSRF
### Impact
Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password.
### Patches
PR forthcoming
### Workarounds
None
OSV
magento-lts Reset Password not protected against well-timed CSRF
osv·2023-01-26
CVE-2021-21395 [MEDIUM] magento-lts Reset Password not protected against well-timed CSRF
magento-lts Reset Password not protected against well-timed CSRF
### Impact
Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password.
### Patches
PR forthcoming
### Workarounds
None
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4https://hackerone.com/reports/1086752https://packagist.org/packages/openmage/magento-ltshttps://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4https://hackerone.com/reports/1086752https://packagist.org/packages/openmage/magento-lts
2023-01-27
Published