4.3
CVE-2021-21395
- EPSS 0.38%
- Veröffentlicht 27.01.2023 16:15:08
- Zuletzt bearbeitet 21.11.2024 05:48:16
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Magneto-lts vulnerable to Cross-Site Request Forgery
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.299 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 4.2 | 1.6 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4
https://hackerone.com/reports/1086752
https://packagist.org/packages/openmage/magento-lts