CVE-2021-21032

Name of the Vulnerable Software and Affected Versions Magento versions 2.4.1 and earlier Magento versions 2.4.0-p1 and earlier Magento versions 2.3.6 and earlier

Description The issue is related to the inadequate invalidation of user sessions, which could lead to unauthorized access to restricted resources. Successful exploitation of this issue does not require access to the admin console. The vulnerability is also related to the lack of automatic termination of all sessions after a password change, allowing a remote attacker to gain unauthorized access to limited resources.

Recommendations For Magento versions 2.4.1 and earlier, update to a version that adequately invalidates user sessions after a password change. For Magento versions 2.4.0-p1 and earlier, update to a version that adequately invalidates user sessions after a password change. For Magento versions 2.3.6 and earlier, update to a version that adequately invalidates user sessions after a password change. As a temporary workaround, consider implementing a custom session invalidation mechanism after password changes until a patch is available.