GHSA-r3c9-9j5q-pwv4

Suggest an improvement
Source
https://github.com/advisories/GHSA-r3c9-9j5q-pwv4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-r3c9-9j5q-pwv4/GHSA-r3c9-9j5q-pwv4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-r3c9-9j5q-pwv4
Aliases
Published
2023-01-26T19:51:48Z
Modified
2023-11-01T04:54:15.099188Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
magento-lts Reset Password not protected against well-timed CSRF
Details

Impact

Password reset form is vulnerable to CSRF between time reset password link is clicked and user submits new password.

Patches

PR forthcoming

Workarounds

None

Database specific
{
    "nvd_published_at": "2023-01-27T16:15:00Z",
    "github_reviewed_at": "2023-01-26T19:51:48Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Packagist / openmage/magento-lts

Package

Name
openmage/magento-lts
Purl
pkg:composer/openmage/magento-lts

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
19.4.22

Affected versions

1.*

1.9.1.1
1.9.2.0
1.9.2.1
1.9.2.2
1.9.2.3
1.9.2.4
1.9.3.0
1.9.3.1

v19.*

v19.4.0
v19.4.1
v19.4.2
v19.4.3
v19.4.4
v19.4.5
v19.4.6
v19.4.7
v19.4.8
v19.4.9
v19.4.10
v19.4.11
v19.4.12
v19.4.13
v19.4.14
v19.4.15
v19.4.16
v19.4.17
v19.4.18
v19.4.19
v19.4.20
v19.4.21

Packagist / openmage/magento-lts

Package

Name
openmage/magento-lts
Purl
pkg:composer/openmage/magento-lts

Affected ranges

Type
ECOSYSTEM
Events
Introduced
20.0.0
Fixed
20.0.19

Affected versions

v20.*

v20.0.0
v20.0.1
v20.0.2
v20.0.3
v20.0.4
v20.0.5
v20.0.6
v20.0.7
v20.0.8
v20.0.10
v20.0.11
v20.0.12
v20.0.13
v20.0.14
v20.0.15
v20.0.16
v20.0.17
v20.0.18