CVE-2022-37783

Name of the Vulnerable Software and Affected Versions Craft CMS versions 3.0.0 through 3.7.32

Description The issue concerns the disclosure of password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT CSRF TOKEN and a HTML hidden field called CRAFT CSRF TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT CSRF TOKEN cookie discloses the password hash without encoding it, whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.

Recommendations For Craft CMS versions 3.0.0 through 3.7.32, consider disabling the CRAFT CSRF TOKEN cookie and the corresponding HTML hidden field until a patch is available to prevent the disclosure of password hashes. Restrict access to the YII framework's public functions to minimize the risk of decoding the masked password hashes.