CVE-2021-21395

MEDIUM

OpenMage Magento < 19.4.22 - Cross-Site Request Forgery in Password Reset Form

Title source: llm
STIX 2.1

Description

Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1086752
Third Party Advisory x_refsource_misc
https://packagist.org/packages/openmage/magento-lts

Scores

CVSS v3 4.2
EPSS 0.0038
EPSS Percentile 30.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (2)
openmage/magento < 19.4.22
openmage/magento-lts 0 - 19.4.22Packagist
Published Jan 27, 2023
Tracked Since Feb 18, 2026