CVE-2022-22691

Umbraco Password Reset URL Poison

Severity Score

7.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats.

El componente de restablecimiento de contraseñas desplegado en Umbraco usa el nombre de host suministrado dentro del encabezado de host de la petición cuando construye una URL de restablecimiento de contraseñas. Puede ser posible manipular la URL enviada a usuarios de Umbraco cuando apunta al servidor del atacante, revelando así el token de restablecimiento de contraseña si/cuando es seguido el enlace. Una vulnerabilidad relacionada (CVE-2022-22690) podría permitir que este fallo se convierta en persistente, de modo que todas las URL de restablecimiento de contraseña estén afectadas persistentemente después de un ataque con éxito. Consulte el aviso de AppCheck para obtener más información y las advertencias asociadas

*Credits: AppCheck Ltd

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-05 CVE Reserved
2022-01-18 CVE Published
2024-09-16 CVE Updated
2024-09-16 First Exploit
2024-10-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-640: Weak Password Recovery Mechanism for Forgotten Password

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691	2024-09-16

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Umbraco Search vendor "Umbraco"		Umbraco Cms Search vendor "Umbraco" for product "Umbraco Cms"				< 9.2.0 Search vendor "Umbraco" for product "Umbraco Cms" and version " < 9.2.0"		-		Affected