CVE-2021-21395
Summary
| CVE | CVE-2021-21395 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-01-27 16:15:00 UTC |
| Updated | 2023-02-07 19:53:00 UTC |
| Description | Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| HackerOne | MISC | hackerone.com | |
| Reset Password not protected against well-timed CSRF · Advisory · OpenMage/magento-lts · GitHub | MISC | github.com | |
| openmage/magento-lts - Packagist | MISC | packagist.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.