CVE-2022-37783
PHP Analisi e mitigazione delle vulnerabilità

Panoramica

Craft CMS versions between 3.0.0 and 3.7.32 were found to disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. The vulnerability was discovered during a penetration test by researchers at TÜV Trust IT Austria and was assigned CVE-2022-37783. The issue was fixed in version 3.7.33 (CVES AT, NVD).

Dettagli tecnici

The vulnerability stems from bad coding practices where user password hashes were mixed into CSRF-Tokens. The password hashes were disclosed in two locations: the CRAFT_CSRF_TOKEN cookie (URL-encoded) and the CSRF-Token in the HTML page. While the cookie was protected by the HTTP-Only attribute, the HTML token was masked using a YII Framework function that could be reversed using publicly available unmasking functions. The passwords were hashed using bcrypt, which is considered a slow hash algorithm (CVES AT).

Impatto

The disclosure of password hashes could allow attackers to attempt offline password cracking. If successful, attackers could gain unauthorized access to user accounts. Users utilizing SAML-Login were not affected by this vulnerability. The vulnerability received a CVSS v3.1 score of 7.5 (High), indicating significant potential impact (CVES AT).

Mitigazione e soluzioni alternative

The vulnerability was fixed in Craft CMS version 3.7.33. Users of affected versions are strongly encouraged to upgrade to at least version 3.7.33. The vendor marked release 3.7.33 as critical and integrated warning messages in affected versions urging users to update (CVES AT).

Risorse aggiuntive


FonteQuesto report è stato generato utilizzando l'intelligenza artificiale

Imparentato PHP Vulnerabilità:

CVE ID

Severità

Punteggio

Tecnologie

Nome del componente

Exploit CISA KEV

Ha la correzione

Data di pubblicazione

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
NoJul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026

Valutazione gratuita delle vulnerabilità

Benchmark della tua posizione di sicurezza del cloud

Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.

Richiedi valutazione

Richiedi una demo personalizzata

Pronti a vedere Wiz in azione?

"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità