CVE-2021-21395

CVSS V2 None CVSS V3 None
Description
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.
Overview
  • CVE ID
  • CVE-2021-21395
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-01-27T16:15:08
  • Last Modified Date
  • 2023-02-07T19:53:19
Weakness Enumerations
CWE URL
CWE-352 http://cwe.mitre.org/data/definitions/352.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:* 1 OR 19.4.22
cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:* 1 OR 20.0.0 20.0.19
References
Reference URL Reference Tags
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4
https://hackerone.com/reports/1086752
https://packagist.org/packages/openmage/magento-lts
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2021-21395
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21395
History
Created Old Value New Value Data Type Notes
2023-01-27 16:15:46 Added to TrackCVE
2023-01-27 16:15:47 Weakness Enumeration new
2023-01-27 20:15:23 2023-01-27T19:12:46 CVE Modified Date updated
2023-01-27 20:15:23 Received Awaiting Analysis Vulnerability Status updated
2023-02-03 20:17:10 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2023-02-07 20:13:29 2023-02-07T19:53:19 CVE Modified Date updated
2023-02-07 20:13:29 Undergoing Analysis Analyzed Vulnerability Status updated
2023-02-07 20:13:30 CPE Information updated