Harald Schmal

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 3.0.0 through 3.7.32 **Description** The issue concerns the disclosure of password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called `CRAFT CSRF TOKEN` and a HTML hidden field called `CRAFT CSRF TOKEN` to avoid Cross Site Request Forgery attacks. The `CRAFT CSRF TOKEN` cookie discloses the password hash without encoding it, whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework. **Recommendations** For Craft CMS versions 3.0.0 through 3.7.32, consider disabling the `CRAFT CSRF TOKEN` cookie and the corresponding HTML hidden field until a patch is available to prevent the disclosure of password hashes. Restrict access to the YII framework's public functions to minimize the risk of decoding the masked password hashes.