4 matches found
CVE-2022-29933
Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must...
CVE-2022-29933
creationtimestamp| type| source ---|---|--- 2022-05-09 22:33:10+00:00| seen| https://t.me/cibsecurity/42207...
CVE-2022-29933
Craft CMS up to version 3.7.36 is affected by a password-reset poisoning vulnerability. An unauthenticated attacker who knows a valid username can reset the target account by supplying a crafted HTTP header (X-Forwarded-Host) to the password-reset URL at /index.php?p=admin/actions/users/send-pass...
Craft CMS 3.7.36 Password Reset Poisoning Attack Vulnerability
Craft CMS version 3.7.36 suffers from a password reset poisoning vulnerability. An unauthenticated attacker who knows valid email addresses or account names of Craft CMS backend users is able to manipulate the password reset functionality in a way that the registered users of the CMS receive...