CVE-2022-29933 - OpenCVE

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Craftcms	Craft Cms

Configuration 1 [-]

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html	Exploit Third Party Advisory VDB Entry
https://github.com/craftcms/cms/blob/develop/CHANGELOG.md	Release Notes Third Party Advisory
https://sec-consult.com/vulnerability-lab/	Third Party Advisory
https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-05-09T17:48:45

Updated: 2022-05-09T21:02:24

Reserved: 2022-04-29T00:00:00

Link: CVE-2022-29933

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-09T18:15:08.587

Modified: 2022-05-18T14:14:30.080

Link: CVE-2022-29933

JSON object: View

Redhat Information

No data.

CWE

CWE-640

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-09T21:02:24", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://sec-consult.com/vulnerability-lab/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html"}, {"tags": ["x_refsource_MISC"], "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-29933", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://sec-consult.com/vulnerability-lab/", "refsource": "MISC", "url": "https://sec-consult.com/vulnerability-lab/"}, {"name": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md", "refsource": "MISC", "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md"}, {"name": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html"}, {"name": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/", "refsource": "MISC", "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-29933", "datePublished": "2022-05-09T17:48:45", "dateReserved": "2022-04-29T00:00:00", "dateUpdated": "2022-05-09T21:02:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA0B609E-3DE6-4350-B72B-6039A200BBAD", "versionEndIncluding": "3.7.36", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration)."}, {"lang": "es", "value": "Craft CMS versiones hasta 3.7.36, permite a un atacante remoto no autenticado, que conoce al menos un nombre de usuario v\u00e1lido, restablecer la contrase\u00f1a de la cuenta y tomar el control de la cuenta proporcionando un encabezado HTTP dise\u00f1ado a la aplicaci\u00f3n mientras es usada la funcionalidad password reset. En concreto, el atacante debe enviar X-Forwarded-Host al URI /index.php?p=admin/actions/users/send-password-reset-email. NOTA: la posici\u00f3n del proveedor es que un cliente ya puede mitigar esto al ajustar la configuraci\u00f3n (es decir, no usando la configuraci\u00f3n por defecto)"}], "id": "CVE-2022-29933", "lastModified": "2022-05-18T14:14:30.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-09T18:15:08.587", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/166989/Craft-CMS-3.7.36-Password-Reset-Poisoning-Attack.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/craftcms/cms/blob/develop/CHANGELOG.md"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://sec-consult.com/vulnerability-lab/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sec-consult.com/vulnerability-lab/advisory/password-reset-poisoning-attack-craft-cms/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}