GHSA-r3c9-9j5q-pwv4

Source

https://github.com/advisories/GHSA-r3c9-9j5q-pwv4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-r3c9-9j5q-pwv4/GHSA-r3c9-9j5q-pwv4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r3c9-9j5q-pwv4

Aliases

CVE-2021-21395

Published

2023-01-26T19:51:48Z

Modified

2023-11-08T04:04:44.534450Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

magento-lts Reset Password not protected against well-timed CSRF

Details

Impact

Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password.

Patches

PR forthcoming

Workarounds

None

Database specific

{
    "nvd_published_at": "2023-01-27T16:15:00Z",
    "github_reviewed_at": "2023-01-26T19:51:48Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

Packagist / openmage/magento-lts

Package

Name: openmage/magento-lts
Purl: pkg:composer/openmage/magento-lts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

19.4.22

Affected versions

1.*

1.9.1.1

1.9.2.0

1.9.2.1

1.9.2.2

1.9.2.3

1.9.2.4

1.9.3.0

1.9.3.1

v19.*

v19.4.0

v19.4.1

v19.4.2

v19.4.3

v19.4.4

v19.4.5

v19.4.6

v19.4.7

v19.4.8

v19.4.9

v19.4.10

v19.4.11

v19.4.12

v19.4.13

v19.4.14

v19.4.15

v19.4.16

v19.4.17

v19.4.18

v19.4.19

v19.4.20

v19.4.21

Packagist / openmage/magento-lts

Package

Name: openmage/magento-lts
Purl: pkg:composer/openmage/magento-lts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

20.0.0

Fixed

20.0.19

Affected versions

v20.*

v20.0.0

v20.0.1

v20.0.2

v20.0.3

v20.0.4

v20.0.5

v20.0.6

v20.0.7

v20.0.8

v20.0.10

v20.0.11

v20.0.12

v20.0.13

v20.0.14

v20.0.15

v20.0.16

v20.0.17

v20.0.18