A Cross Site Request Forgery (CSRF) vulnerability exists when a ASP.NET Core web application is created using vulnerable project templates.
An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim’s user account without his/her consent. As a result, a victim of this attack may be permanently locked out of his/her account after loosing access to his/her 2FA device, as the initial recovery codes would be no longer valid.
The update corrects the ASP.NET Core project templates.