CVE-2021-21395

Published: Jan 27, 2023

Modified: Mar 10, 2025

PUBLISHED

CVSS v3.1

4.2

MEDIUM

Description

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.

Vendor	Product	Versions
OpenMage	magento-lts	affected `< 19.4.22` affected `>= 20.0.0, < 20.0.19`

Weaknesses (CWE)

CWE-352

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4

x_refsource_CONFIRM

https://hackerone.com/reports/1086752

x_refsource_MISC

https://packagist.org/packages/openmage/magento-lts

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-21395

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References