Skip to main content

Missing Encryption of Sensitive Data


Severity High
Score 7.5/10


All Craft CMS versions 3.0.x prior to 3.7.33 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called "CRAFT_CSRF_TOKEN" and a HTML hidden field called "CRAFT_CSRF_TOKEN" to avoid Cross-Site Request Forgery attacks. The "CRAFT_CSRF_TOKEN" cookie discloses the password hash without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-311 - Missing Encryption of Sensitive Data

The software does not encrypt sensitive or critical information before storage or transmission.

Advisory Timeline

  • Published