CVE-2022-29933
published 2022-05-09CVE-2022-29933: Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the…
PriorityP356high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
4.45%
90.2th percentile
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 0 < 3.7.36 | 3.7.36 |
| craftcms | craft_cms | <= 3.7.36 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper account password reset in Craft CMS
ghsa·2022-05-10
CVE-2022-29933 [HIGH] CWE-640 Improper account password reset in Craft CMS
Improper account password reset in Craft CMS
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).
OSV
Improper account password reset in Craft CMS
osv·2022-05-10
CVE-2022-29933 [HIGH] Improper account password reset in Craft CMS
Improper account password reset in Craft CMS
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.htmlhttps://github.com/craftcms/cms/blob/develop/CHANGELOG.mdhttps://sec-consult.com/vulnerability-lab/https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.htmlhttps://github.com/craftcms/cms/blob/develop/CHANGELOG.mdhttps://sec-consult.com/vulnerability-lab/https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/
2022-05-09
Published