4.3

CVE-2021-21395

Exploit

Magneto-lts vulnerable to Cross-Site Request Forgery

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenmageMagento SwEditionlts Version < 19.4.22
OpenmageMagento SwEditionlts Version >= 20.0.0 < 20.0.19
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.38% 0.299
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
security-advisories@github.com 4.2 1.6 2.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4
Third Party Advisory
https://hackerone.com/reports/1086752
Third Party Advisory
Exploit
https://packagist.org/packages/openmage/magento-lts
Third Party Advisory