CVE-2022-29933 - OpenCVE

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Craftcms	Craft Cms

Configuration 1 [-]

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md
https://sec-consult.com/vulnerability-lab/
https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-05-09T17:48:45

Updated: 2024-08-03T06:33:43.179Z

Reserved: 2022-04-29T00:00:00

Link: CVE-2022-29933

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-09T18:15:08.587

Modified: 2022-05-18T14:14:30.080

Link: CVE-2022-29933

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-09T21:02:24", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://sec-consult.com/vulnerability-lab/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html"}, {"tags": ["x_refsource_MISC"], "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-29933", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://sec-consult.com/vulnerability-lab/", "refsource": "MISC", "url": "https://sec-consult.com/vulnerability-lab/"}, {"name": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md", "refsource": "MISC", "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md"}, {"name": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html"}, {"name": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/", "refsource": "MISC", "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:33:43.179Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sec-consult.com/vulnerability-lab/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-29933", "datePublished": "2022-05-09T17:48:45", "dateReserved": "2022-04-29T00:00:00", "dateUpdated": "2024-08-03T06:33:43.179Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA0B609E-3DE6-4350-B72B-6039A200BBAD", "versionEndIncluding": "3.7.36", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration)."}, {"lang": "es", "value": "Craft CMS versiones hasta 3.7.36, permite a un atacante remoto no autenticado, que conoce al menos un nombre de usuario v\u00e1lido, restablecer la contrase\u00f1a de la cuenta y tomar el control de la cuenta proporcionando un encabezado HTTP dise\u00f1ado a la aplicaci\u00f3n mientras es usada la funcionalidad password reset. En concreto, el atacante debe enviar X-Forwarded-Host al URI /index.php?p=admin/actions/users/send-password-reset-email. NOTA: la posici\u00f3n del proveedor es que un cliente ya puede mitigar esto al ajustar la configuraci\u00f3n (es decir, no usando la configuraci\u00f3n por defecto)"}], "id": "CVE-2022-29933", "lastModified": "2022-05-18T14:14:30.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-09T18:15:08.587", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://sec-consult.com/vulnerability-lab/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}