Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21395— Magneto-lts vulnerable to Cross-Site Request Forgery

CVSS 4.2 · Medium EPSS 0.09% · P25
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-21395

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Magneto-lts vulnerable to Cross-Site Request Forgery
Source: NVD (National Vulnerability Database)
Vulnerability Description
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenMage Magento Lts 跨站请求伪造漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenMage Magento Lts(Magento)是OpenMage组织的一个电子商务系统。 Magneto LTS 19.4.22之前版本、20.0.19之前版本存在跨站请求伪造漏洞,该漏洞源于在单击重置密码链接和用户提交新密码之间,密码重置表单容易受到跨站点请求伪造攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
OpenMagemagento-lts < 19.4.22 -

II. Public POCs for CVE-2021-21395

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2021-21395

登录查看更多情报信息。

Same Patch Batch · OpenMage · 2023-01-27 · 6 CVEs total

CVE-2021-411448.8 HIGHOpenMage LTS authenticated remote code execution through layout update
CVE-2021-392177.2 HIGHOpenMage LTS arbitrary command execution in custom layout update through blocks
CVE-2021-411437.2 HIGHOpenMage LTS arbitrary file deletion in customer media allows for remote code execution
CVE-2021-412317.2 HIGHOpenMage LTS DataFlow upload remote code execution vulnerability
CVE-2023-236174.9 MEDIUMOpenMage LTS has DoS vulnerability in MaliciousCode filter

IV. Related Vulnerabilities

Same product: magento-lts
Same vendor: OpenMage
Same weakness: CWE-352

V. Comments for CVE-2021-21395

No comments yet

Leave a comment