Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jwj3-be5u-cfa6
Vulnerability ID VCID-jwj3-be5u-cfa6
Aliases CVE-2022-37783
GHSA-h972-v458-m892
Summary All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-522 Insufficiently Protected Credentials
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01471 https://api.first.org/data/v1/epss?cve=CVE-2022-37783
cvssv3.1 7.5 https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes
generic_textual HIGH https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes
ssvc Track https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/
cvssv3.1 7.5 https://cves.at/posts/cve-2022-37783/writeup
generic_textual HIGH https://cves.at/posts/cve-2022-37783/writeup
ssvc Track https://cves.at/posts/cve-2022-37783/writeup/
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-h972-v458-m892
cvssv3.1 7.5 https://github.com/craftcms/cms
generic_textual HIGH https://github.com/craftcms/cms
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-37783
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-37783
cvssv3.1 7.5 http://www.openwall.com/lists/oss-security/2024/06/06/1
generic_textual HIGH http://www.openwall.com/lists/oss-security/2024/06/06/1
ssvc Track http://www.openwall.com/lists/oss-security/2024/06/06/1
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-37783
https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes
https://cves.at/posts/cve-2022-37783/writeup
1 http://www.openwall.com/lists/oss-security/2024/06/06/1
CVE-2022-37783 https://nvd.nist.gov/vuln/detail/CVE-2022-37783
cve-disclosure-of-password-hashes https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/
GHSA-h972-v458-m892 https://github.com/advisories/GHSA-h972-v458-m892
writeup https://cves.at/posts/cve-2022-37783/writeup/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T17:33:05Z/ Found at https://at-trustit.tuv.at/tuev-trust-it-cves/cve-disclosure-of-password-hashes/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://cves.at/posts/cve-2022-37783/writeup
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T17:33:05Z/ Found at https://cves.at/posts/cve-2022-37783/writeup/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-37783
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2024/06/06/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T17:33:05Z/ Found at http://www.openwall.com/lists/oss-security/2024/06/06/1
Exploit Prediction Scoring System (EPSS)
Percentile 0.81342
EPSS Score 0.01471
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:38:33.150399+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/37xxx/CVE-2022-37783.json 38.6.0