CVE-2022-29933: 
PHP vulnerability analysis and mitigation

Craft CMS through version 3.7.36 contains a password reset poisoning vulnerability (CVE-2022-29933) that allows remote unauthenticated attackers to take over user accounts. The vulnerability requires the attacker to know at least one valid username and can be exploited by manipulating the X-Forwarded-Host HTTP header during the password reset process (SEC Consult Advisory, NVD).

The vulnerability exists in the password reset functionality accessible via /index.php?p=admin/actions/users/send-password-reset-email. An attacker can intercept the password reset request and add a malicious X-Forwarded-Host header pointing to an attacker-controlled server. When a user clicks the reset link in the email, the password reset tokens are sent to the attacker's server, allowing them to construct a valid password reset URL and take over the account. The vulnerability has a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

A successful exploit allows an attacker to reset passwords and take over any user account for which they know the username. This gives them full access to the compromised account's permissions and functionality within the CMS (SEC Consult Advisory).

The vendor's position is that customers can mitigate this by adjusting the configuration rather than using the default settings. The backend login interface and password reset function should not be accessible from the internet or unknown IP addresses. Users must implement the workaround described in the vendor's hardening guide to mitigate this issue (SEC Consult Advisory).