Lucene search
MitreCVELIST:CVE-2022-29933HistoryMay 09, 2022 - 5:48 p.m.
CVE-2022-29933
2022-05-0917:48:45
mitre
www.cve.org
4
craft cms
remote attack
unauthenticated takeover
http header
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account’s password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor’s position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration).
Related
prion
prion
Default configuration
2022-05-09 18:15:00
osv
osv
CVE-2022-29933
2022-05-09 18:15:08
Improper account password reset in Craft CMS
2022-05-10 00:00:17
veracode
veracode
Host Header Injection
2022-05-10 04:29:40
nvd
nvd
CVE-2022-29933
2022-05-09 18:15:08
github
github
Improper account password reset in Craft CMS
2022-05-10 00:00:17
packetstorm
packetstorm
Craft CMS 3.7.36 Password Reset Poisoning Attack
2022-05-06 00:00:00
cve
cve
CVE-2022-29933
2022-05-09 18:15:08
zdt
zdt
Craft CMS 3.7.36 Password Reset Poisoning Attack Vulnerability
2022-05-08 00:00:00