CVE-2022-37783Insufficiently Protected Credentials in Craft CMS

CWE-522Insufficiently Protected CredentialsCWE-200Sensitive Information Exposure6 documents5 sources
Severity
7.5HIGHNVD
EPSS
1.4%
top 19.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms CMSCraftcms Craft CMS
Timeline
PublishedDec 5
Latest updateDec 29

Description

All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded b

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Packagistcraftcms/cms3.0.03.7.33
NVDcraftcms/craft_cms3.0.03.7.32

🔴Vulnerability Details

3
GHSA
Craft CMS discloses password hashes2022-12-05
CVEList
CVE-2022-37783: All Craft CMS versions between 32022-12-05
OSV
Craft CMS discloses password hashes2022-12-05

🕵️Threat Intelligence

2
Wiz
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz2025-12-29
Wiz
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz2025-12-29
CVE-2022-37783 — Insufficiently Protected Credentials | cvebase