CVE-2022-22691
MEDIUMUmbraco CMS < 9.2.0 - Password Reset Token Disclosure via Host Header Manipulation
Title source: llmDescription
The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats.
References (1)
Core 1
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_misc
https://appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/
Scores
CVSS v3
6.8
EPSS
0.0102
EPSS Percentile
58.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Details
CWE
CWE-444
CWE-640
Status
published
Products (2)
nuget/Umbraco.Cms.Core
0 - 9.2.0NuGet
umbraco/umbraco_cms
< 9.2.0
Published
Jan 18, 2022
Tracked Since
Feb 18, 2026