Impact
Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password.
Patches
PR forthcoming
Workarounds
None
References
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-r3c9-9j5q-pwv4
- https://hackerone.com/reports/1086752
- https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22
- https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19
- https://packagist.org/packages/openmage/magento-lts
- https://nvd.nist.gov/vuln/detail/CVE-2021-21395
- https://github.com/advisories/GHSA-r3c9-9j5q-pwv4