CVE-2022-37783
PHP Analyse et atténuation des vulnérabilités

Aperçu

Craft CMS versions between 3.0.0 and 3.7.32 were found to disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. The vulnerability was discovered during a penetration test by researchers at TÜV Trust IT Austria and was assigned CVE-2022-37783. The issue was fixed in version 3.7.33 (CVES AT, NVD).

Détails techniques

The vulnerability stems from bad coding practices where user password hashes were mixed into CSRF-Tokens. The password hashes were disclosed in two locations: the CRAFT_CSRF_TOKEN cookie (URL-encoded) and the CSRF-Token in the HTML page. While the cookie was protected by the HTTP-Only attribute, the HTML token was masked using a YII Framework function that could be reversed using publicly available unmasking functions. The passwords were hashed using bcrypt, which is considered a slow hash algorithm (CVES AT).

Impact

The disclosure of password hashes could allow attackers to attempt offline password cracking. If successful, attackers could gain unauthorized access to user accounts. Users utilizing SAML-Login were not affected by this vulnerability. The vulnerability received a CVSS v3.1 score of 7.5 (High), indicating significant potential impact (CVES AT).

Atténuation et solutions de contournement

The vulnerability was fixed in Craft CMS version 3.7.33. Users of affected versions are strongly encouraged to upgrade to at least version 3.7.33. The vendor marked release 3.7.33 as critical and integrated warning messages in affected versions urging users to update (CVES AT).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PHP Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-55878HIGH7.8
  • PHP logoPHP
  • cpe:2.3:a:sensiolabs:symfony
NonOuiJul 08, 2026
CVE-2026-55877MEDIUM6.1
  • PHP logoPHP
  • composer://symfony/ux-icons
NonOuiJul 08, 2026
CVE-2026-48492MEDIUM4.9
  • PHP logoPHP
  • snipe/snipe-it
NonOuiJul 08, 2026
GHSA-gq4g-fpc9-vjfqLOW2.9
  • PHP logoPHP
  • web-auth/webauthn-lib
NonOuiJul 07, 2026
CVE-2026-55542LOW1.3
  • PHP logoPHP
  • snipe/snipe-it
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités