CVE-2021-21395 — magento-lts Reset Password not protected against well-timed CSRF

Description

### Impact Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password. ### Patches PR forthcoming ### Workarounds None

How to fix CVE-2021-21395

To remediate CVE-2021-21395, upgrade the affected package to a fixed version below.

Packagist/openmage/magento-lts—upgrade to 19.4.22 or later

Is CVE-2021-21395 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 19.4.22

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21395
PATCHgithub.com/OpenMage/magento-lts
WEBgithub.com/OpenMage/magento-lts/releases/tag/v19.4.22
WEBgithub.com/OpenMage/magento-lts/releases/tag/v20.0.19