Missing Encryption of Sensitive Data
All Craft CMS versions 3.0.x prior to 3.7.33 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called "CRAFT_CSRF_TOKEN" and a HTML hidden field called "CRAFT_CSRF_TOKEN" to avoid Cross-Site Request Forgery attacks. The "CRAFT_CSRF_TOKEN" cookie discloses the password hash without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.
CWE-311 - Missing Encryption of Sensitive Data
The software does not encrypt sensitive or critical information before storage or transmission.