CVE-2022-22691

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-22691
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22691.json
Aliases
Published
2022-01-18T17:15:10Z
Modified
2023-11-29T09:26:45.582025Z
Details

The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats.

References

Affected packages

Git / github.com/umbraco/umbraco-cms

Affected ranges

Type
GIT
Repo
https://github.com/umbraco/umbraco-cms
Events
Introduced
0The exact introduced commit is unknown
Fixed
763cb70e677ac0c85557b19b5df09eccfa1b9dfb

Affected versions

4.*

4.7.2
4.8.0-beta

7.*

7.3.0-beta
7.6-alpha071
7.6-beta5

Release-4.*

Release-4.10.0
Release-4.11.0
Release-4.11.1
Release-4.11.2
Release-4.11.2.1
Release-4.11.2.2
Release-4.11.3
Release-4.11.4
Release-4.11.5
Release-4.5.2
Release-4.6.0
Release-4.8.0
Release-4.8.1
Release-4.9.0
Release-4.9.1

Release-6.*

Release-6.0.0
Release-6.0.0-RC
Release-6.0.0-beta
Release-6.0.2

Other

Sprint-Juno-A
alpha070
release-netcore-alpha002
release-netcore-alpha004
temp8-cg18

dev-7.*

dev-7.6-RC1
dev-7.6-RC2
dev-7.6-RC3
dev-7.6-alpha-073
dev-7.6-alpha054
dev-7.6-alpha055
dev-7.6-alpha056
dev-7.6-alpha060
dev-7.6-alpha061
dev-7.6-alpha063
dev-7.6-alpha064
dev-7.6-alpha072
dev-7.6-alpha073
dev-7.6-alpha074
dev-7.6-alpha075
dev-7.6-beta02
dev-7.6-beta03
dev-7.6-beta04
dev-7.6-beta06

dev-v7.*

dev-v7.6-alpha065
dev-v7.6-alpha066
dev-v7.6-alpha068
dev-v7.7-beta002

release-4.*

release-4.11.10
release-4.11.6
release-4.11.7
release-4.11.9

release-6.*

release-6.0.3
release-6.0.4
release-6.0.6
release-6.0.7
release-6.1.0
release-6.1.0-beta
release-6.1.0-beta2
release-6.1.1
release-6.1.2
release-6.1.3
release-6.1.4
release-6.1.5
release-6.1.6
release-6.2.0
release-6.2.0-beta
release-6.2.1
release-6.2.2
release-6.2.3

release-7.*

release-7.0.0
release-7.0.0-RC
release-7.0.0-alpha
release-7.0.0-beta
release-7.0.1
release-7.0.2
release-7.0.3
release-7.0.4
release-7.1.0
release-7.1.0-RC
release-7.1.0-beta
release-7.1.1
release-7.1.2
release-7.1.3
release-7.1.4
release-7.1.5
release-7.1.6
release-7.1.7
release-7.1.8
release-7.10.0
release-7.10.1
release-7.10.2
release-7.10.3
release-7.10.4
release-7.11.0
release-7.12.0
release-7.12.1
release-7.13.0
release-7.13.1
release-7.13.2
release-7.14.0
release-7.15.0
release-7.15.1
release-7.15.2
release-7.15.3
release-7.15.4
release-7.2.0
release-7.2.0-RC
release-7.2.0-alpha
release-7.2.0-beta
release-7.2.0-beta2
release-7.2.1
release-7.2.2
release-7.2.3
release-7.2.4
release-7.2.5
release-7.2.5-RC
release-7.2.6
release-7.2.7
release-7.2.8
release-7.3.0
release-7.3.0-RC
release-7.3.0-beta
release-7.3.0-beta2
release-7.3.0-beta3
release-7.3.1
release-7.3.2
release-7.3.3
release-7.3.4
release-7.3.5
release-7.3.6
release-7.3.7
release-7.3.8
release-7.4.0
release-7.4.0-RC1
release-7.4.0-beta2
release-7.4.1
release-7.4.2
release-7.4.3
release-7.5.0
release-7.5.0-beta
release-7.5.0-beta2
release-7.5.1
release-7.5.10
release-7.5.11
release-7.5.12
release-7.5.13
release-7.5.14
release-7.5.2
release-7.5.3
release-7.5.4
release-7.5.5
release-7.5.6
release-7.5.7
release-7.5.8
release-7.5.9
release-7.6.0
release-7.6.0-RC
release-7.6.0-beta
release-7.6.1
release-7.6.2
release-7.6.3
release-7.6.4
release-7.6.5
release-7.6.6
release-7.6.7
release-7.6.8
release-7.7.0
release-7.7.0-beta
release-7.7.1
release-7.7.10
release-7.7.11
release-7.7.12
release-7.7.13
release-7.7.2
release-7.7.3
release-7.7.4
release-7.7.5
release-7.7.6
release-7.7.7
release-7.7.8
release-7.7.9
release-7.8.0
release-7.8.0-beta
release-7.8.0-beta003
release-7.8.0-beta004
release-7.8.0-beta005
release-7.8.0-beta007
release-7.8.1
release-7.8.2
release-7.8.3
release-7.9.0
release-7.9.1
release-7.9.2
release-7.9.3
release-7.9.4
release-7.9.5
release-7.9.6

release-8.*

release-8.0.0
release-8.0.01
release-8.0.1
release-8.1.0
release-8.1.1
release-8.1.2
release-8.1.3
release-8.1.4
release-8.1.5
release-8.10.0
release-8.10.0-rc
release-8.10.1
release-8.10.2
release-8.10.3
release-8.11.0
release-8.11.0-rc
release-8.11.1
release-8.11.2
release-8.11.3
release-8.12.0
release-8.12.0-rc
release-8.12.1
release-8.12.2
release-8.12.3
release-8.13.0
release-8.13.0-rc
release-8.13.1
release-8.14.0
release-8.14.0-rc
release-8.14.1
release-8.14.2
release-8.14.3
release-8.14.4
release-8.15.0
release-8.15.0-rc
release-8.15.1
release-8.15.2
release-8.15.3
release-8.16.0
release-8.16.0-rc
release-8.17.0
release-8.17.0-rc
release-8.17.0-rc2
release-8.17.1
release-8.2.0
release-8.2.0-rc
release-8.2.1
release-8.2.2
release-8.3.0
release-8.4.0
release-8.4.0-rc
release-8.4.1
release-8.5.0
release-8.5.1
release-8.5.2
release-8.5.3
release-8.5.4
release-8.5.5
release-8.6.0
release-8.6.0-rc
release-8.6.1
release-8.6.2
release-8.6.3
release-8.6.4
release-8.6.5
release-8.6.6
release-8.6.7
release-8.6.8
release-8.7.0
release-8.7.0-rc
release-8.7.1
release-8.7.2
release-8.7.3
release-8.8
release-8.8.0
release-8.8.0-rc
release-8.8.1
release-8.8.2
release-8.8.3
release-8.8.4
release-8.9.0
release-8.9.0-rc
release-8.9.1
release-8.9.2
release-8.9.3

release-9.*

release-9.0.0
release-9.0.0-beta001
release-9.0.0-beta002
release-9.0.0-beta003
release-9.0.0-beta004
release-9.0.0-rc001
release-9.0.0-rc002
release-9.0.0-rc003
release-9.0.0-rc004
release-9.0.1
release-9.1.0
release-9.1.0-rc
release-9.1.1
release-9.1.2
release-9.2.0-rc

release-netcore-0.*

release-netcore-0.5.0-alpha001

release/7.*

release/7.15.2

release/8.*

release/8.1.3