CVE-2022-29933

Name of the Vulnerable Software and Affected Versions Craft CMS versions 3.7.36 and earlier

Description The issue allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the "/index.php?p=admin/actions/users/send-password-reset-email" URI. The vendor's position is that a customer can already work around this by adjusting the configuration, i.e., by not using the default configuration.

Recommendations For Craft CMS versions 3.7.36 and earlier, consider adjusting the configuration to avoid using the default settings as a workaround to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the "/index.php?p=admin/actions/users/send-password-reset-email" URI until a more permanent solution is available. Avoid using the default configuration to minimize the risk of exploitation.