CVE-2022-37783
published 2022-12-05CVE-2022-37783: All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.03%
59.6th percentile
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 3.0.0 < 3.7.33 | 3.7.33 |
| craftcms | craft_cms | 3.0.0 – 3.7.32 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS discloses password hashes
ghsa·2022-12-05
CVE-2022-37783 [HIGH] CWE-200 Craft CMS discloses password hashes
Craft CMS discloses password hashes
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.
OSV
Craft CMS discloses password hashes
osv·2022-12-05
CVE-2022-37783 [HIGH] Craft CMS discloses password hashes
Craft CMS discloses password hashes
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.
No detection rules found.
No public exploits indexed.
Wiz
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz
blogs_wiz·2025-12-29
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz
## What is CSRF?
Cross-site request forgery (CSRF) is a cybersecurity attack where a malicious website or attacker tricks your browser into making unwanted requests to an authenticated website. By exploiting the trust between web applications and authenticated users, apps automatically accept HTTP requests (POST, GET, PUT, and DELETE) without knowing whether the requests are legitimate or malicious.
For example, imagine you log in to your bank account and then visit another website with a CSRF vulnerability. The compromised website can leverage your active session cookie to disguise itself as you and perform malicious actions, such as transferring money from your account, without further authentication.
## How CSRF works
CSRF exploits apps with flawed session management and weaknesses
Wiz
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz
blogs_wiz·2025-12-29
Cross-Site Request Forgery (CSRF): Examples & Prevention | Wiz
## What is CSRF?
Cross-site request forgery (CSRF) is a cybersecurity attack where a malicious website or attacker tricks your browser into making unwanted requests to an authenticated website. By exploiting the trust between web applications and authenticated users, apps automatically accept HTTP requests (POST, GET, PUT, and DELETE) without knowing whether the requests are legitimate or malicious.
For example, imagine you log in to your bank account and then visit another website with a CSRF vulnerability. The compromised website can leverage your active session cookie to disguise itself as you and perform malicious actions, such as transferring money from your account, without further authentication.
## How CSRF works
CSRF exploits apps with flawed session management and weaknesses
http://www.openwall.com/lists/oss-security/2024/06/06/1https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/https://cves.at/posts/cve-2022-37783/writeup/http://www.openwall.com/lists/oss-security/2024/06/06/1https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/https://cves.at/posts/cve-2022-37783/writeup/
2022-12-05
Published