Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-r3c9-9j5q-pwv4: magento-lts Reset Password not protected against well-timed CSRF

Impact

Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password.

Patches

Versions 19.4.22 and 20.0.19 contain patches.

Workarounds

None

References

See https://hackerone.com/reports/1086752

ghsa
#csrf#vulnerability#git

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog
    • For

    • Enterprise

    • Teams

    • Startups

    • Education

    • By Solution

    • CI/CD & Automation

    • DevOps

    • DevSecOps

    • Case Studies

    • Customer Stories

    • Resources

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections
  • Pricing
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2021-21395

magento-lts Reset Password not protected against well-timed CSRF

Package

composer openmage/magento-lts (Composer)

Affected versions

< 19.4.22

>= 20.0.0, < 20.0.19

Patched versions

19.4.22

20.0.19

Description

Published to the GitHub Advisory Database

Jan 26, 2023

Weaknesses

GHSA ID

GHSA-r3c9-9j5q-pwv4

Source code

Related news

CVE-2021-41143: Release v19.4.22 · OpenMage/magento-lts

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue.

CVE-2021-21395: openmage/magento-lts - Packagist

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.

ghsa: Latest News

GHSA-x52f-h5g4-8qv5: Marp Core allows XSS by improper neutralization of HTML sanitization