CVE-2022-29933
First published: Mon May 09 2022(Updated: )
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Craftcms Craft Cms | <=3.7.36 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-29933?
The severity of CVE-2022-29933 is high with a CVSS score of 8.8.
How does CVE-2022-29933 affect Craft CMS?
CVE-2022-29933 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account.
What is the affected version of Craft CMS for CVE-2022-29933?
The affected version of Craft CMS for CVE-2022-29933 is up to and inclusive of version 3.7.36.
How can an attacker exploit CVE-2022-29933?
To exploit CVE-2022-29933, an attacker needs to provide a crafted HTTP header to the application while using the password reset functionality.
Are there any references available for CVE-2022-29933?
Yes, you can refer to the following sources: http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html, https://github.com/craftcms/cms/blob/develop/CHANGELOG.md, https://sec-consult.com/vulnerability-lab/
- collector/nvd-index
- vendor/craftcms
- canonical/craftcms craft cms
- version/craftcms craft cms/3.7.36