Information Exposure Affecting umbraco.cms.core Open this link in a new tab package, versions [0,]

Attack Complexity

High
User Interaction

Required
Scope

Changed
Confidentiality

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-DOTNET-UMBRACOCMSCORE-2359039
published

23 Jan 2022
disclosed

21 Jan 2022
credit

Unknown

Report a new vulnerability Found a mistake?

Introduced: 21 Jan 2022

CVE-2022-22691 Open this link in a new tab CWE-640 Open this link in a new tab

How to fix?

There is no fixed version for Umbraco.Cms.Core.

Overview

Affected versions of this package are vulnerable to Information Exposure via the password reset component deployed within Umbraco. It uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed.

References

AppCheck Advisory

Information Exposure Affecting umbraco.cms.core Open this link in a new tab package, versions [0,]

Attack Complexity

User Interaction

Scope

Confidentiality

snyk-id

published

disclosed

credit

Introduced: 21 Jan 2022

How to fix?

Overview

References