CVE-2022-37783
PHP Análisis y mitigación de vulnerabilidades

Vista general

Craft CMS versions between 3.0.0 and 3.7.32 were found to disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. The vulnerability was discovered during a penetration test by researchers at TÜV Trust IT Austria and was assigned CVE-2022-37783. The issue was fixed in version 3.7.33 (CVES AT, NVD).

Técnicas

The vulnerability stems from bad coding practices where user password hashes were mixed into CSRF-Tokens. The password hashes were disclosed in two locations: the CRAFT_CSRF_TOKEN cookie (URL-encoded) and the CSRF-Token in the HTML page. While the cookie was protected by the HTTP-Only attribute, the HTML token was masked using a YII Framework function that could be reversed using publicly available unmasking functions. The passwords were hashed using bcrypt, which is considered a slow hash algorithm (CVES AT).

Impacto

The disclosure of password hashes could allow attackers to attempt offline password cracking. If successful, attackers could gain unauthorized access to user accounts. Users utilizing SAML-Login were not affected by this vulnerability. The vulnerability received a CVSS v3.1 score of 7.5 (High), indicating significant potential impact (CVES AT).

Mitigación y soluciones alternativas

The vulnerability was fixed in Craft CMS version 3.7.33. Users of affected versions are strongly encouraged to upgrade to at least version 3.7.33. The vendor marked release 3.7.33 as critical and integrated warning messages in affected versions urging users to update (CVES AT).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado PHP Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
NoJul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades