Password Hash Disclosure in Craft CMS Versions by Pixel & Tonic
CVE-2022-37783

7.5HIGH

Key Information:

Vendor: Craftcms
Status: Craft Cms
Vendor: CVE Published:; 5 December 2022

What is CVE-2022-37783?

Craft CMS versions from 3.0.0 to 3.7.32 reveal password hashes during user authentication when using an email address or username. The vulnerability arises from the way the CRAFT_CSRF_TOKEN cookie and corresponding HTML hidden field are implemented. The cookie leaks the password hash unencoded, while the hidden field provides it in a masked form that can be easily decoded using public YII framework functions. This may lead to unauthorized access of user accounts if exploited.

References

https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosu...

https://cves.at/posts/cve-2022-37783/writeup/

http://www.openwall.com/lists/oss-security/2024/06/06/1

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 5, 2022
Vulnerability Reserved
Aug 8, 2022

Craftcms

What is CVE-2022-37783?

References

CVSS V3.1

Timeline