What is CVE-2022-37783?

CVE-2022-37783 is a vulnerability in Craft CMS versions between 3.0.0 and 3.7.32 that discloses password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens.

What is the severity of CVE-2022-37783?

The severity of CVE-2022-37783 is high, with a CVSS score of 7.5.

How do I fix CVE-2022-37783?

To fix CVE-2022-37783, you should upgrade Craft CMS to version 3.7.33 or higher.

What is Anti-CSRF-Tokens in Craft CMS?

Anti-CSRF-Tokens in Craft CMS are used to prevent Cross-Site Request Forgery (CSRF) attacks by using a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN.

Where can I find more information about CVE-2022-37783?

You can find more information about CVE-2022-37783 on the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37783), [TÜV Trust IT](https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/), [CVES](https://cves.at/posts/cve-2022-37783/writeup/)

Vulnerability/
CVE-2022-37783

high

7.5

CWE

200 522 352

5/12/2022

3/8/2024

CVE-2022-37783: Infoleak

First published: Mon Dec 05 2022(Updated: )

All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
composer/craftcms/cms	>=3.0.0<=3.7.32	3.7.33
Craftcms Craft Cms	>=3.0.0<=3.7.32
	>=3.0.0<=3.7.32

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-37783?
CVE-2022-37783 is a vulnerability in Craft CMS versions between 3.0.0 and 3.7.32 that discloses password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens.
What is the severity of CVE-2022-37783?
The severity of CVE-2022-37783 is high, with a CVSS score of 7.5.
How do I fix CVE-2022-37783?
To fix CVE-2022-37783, you should upgrade Craft CMS to version 3.7.33 or higher.
What is Anti-CSRF-Tokens in Craft CMS?
Anti-CSRF-Tokens in Craft CMS are used to prevent Cross-Site Request Forgery (CSRF) attacks by using a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN.
Where can I find more information about CVE-2022-37783?
You can find more information about CVE-2022-37783 on the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37783), [TÜV Trust IT](https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/), [CVES](https://cves.at/posts/cve-2022-37783/writeup/)

collector/nvd-index
agent/type
agent/severity
agent/weakness
agent/description
agent/first-publish-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/author
collector/github-advisory-latest
source/GitHub
alias/GHSA-h972-v458-m892
alias/CVE-2022-37783
agent/references
agent/softwarecombine
agent/event
collector/nvd-cve
collector/github-advisory
agent/tags
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/trending
vendor/craftcms
canonical/craftcms craft cms
version/craftcms craft cms/3.0.0
version/craftcms craft cms/3.7.32
package-manager/composer