cbcvebase.
CVE-2022-37783
published 2022-12-05

CVE-2022-37783: All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens…

PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.03%
59.6th percentile
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.

Affected

2 ranges
VendorProductVersion rangeFixed in
craftcmscms>= 3.0.0 < 3.7.333.7.33
craftcmscraft_cms3.0.0 – 3.7.32
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.