[openmage/magento-lts] magento-lts Reset Password not protected against well-timed CSRF

Impact

Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password.

Patches

PR forthcoming

Workarounds

None

References

• https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4
• https://hackerone.com/reports/1086752
• https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22
• https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19
• https://packagist.org/packages/openmage/magento-lts
• https://nvd.nist.gov/vuln/detail/CVE-2021-21395
• https://github.com/advisories/GHSA-r3c9-9j5q-pwv4