Missing Encryption of Sensitive Data
CVE-2022-37783
Summary
All Craft CMS versions 3.0.x prior to 3.7.33 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called "CRAFT_CSRF_TOKEN" and a HTML hidden field called "CRAFT_CSRF_TOKEN" to avoid Cross-Site Request Forgery attacks. The "CRAFT_CSRF_TOKEN" cookie discloses the password hash without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-311 - Missing Encryption of Sensitive Data
The software does not encrypt sensitive or critical information before storage or transmission.
References
Advisory Timeline
- Published