Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-21395

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.

Published

2023-01-27T16:15:08.323

Last Modified

2024-11-21T05:48:16.257

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.2 (MEDIUM)

Weaknesses

Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openmage	magento	< 19.4.22	Yes
Application	openmage	magento	< 20.0.19	Yes

References

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4 Third Party Advisory ([email protected])
https://hackerone.com/reports/1086752 Exploit, Third Party Advisory ([email protected])
https://packagist.org/packages/openmage/magento-lts Third Party Advisory ([email protected])
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1086752 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://packagist.org/packages/openmage/magento-lts Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)