7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-22691

GHSA ID

GHSA-r8pr-83cc-ccv7

EPSS Score

0.55318%

CWE

CWE-444

Published

1/21/2022

Updated

2/3/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-22691

CVE-2022-22691:
Umbraco Persistent Password Reset Poison

The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to Umbraco users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. A related vulnerability (CVE-2022-22690) could allow this flaw to become persistent so that all password reset URLs are affected persistently following a successful attack. See the AppCheck advisory for further information and associated caveats.

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-22691

GHSA ID

GHSA-r8pr-83cc-ccv7

EPSS Score

0.55318%

CWE

CWE-444

Published

1/21/2022

Updated

2/3/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Umbraco.Cms.Core	nuget	< 9.2.0	9.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability chain involves three key functions: 1) GetApplicationUrlFromCurrentRequest directly uses the untrusted Host header to build URLs. 2) EnsureApplicationMainUrl persists this value system-wide. 3) ConstructCallbackUrl uses the poisoned URL to generate reset links. The advisory's code snippets and attack flow analysis explicitly reference these functions' roles in the exploit chain. The first two functions enable persistent poisoning (CVE-2022-22690), while the third enables token leakage (CVE-2022-22691).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p*sswor* r*s*t *ompon*nt **ploy** wit*in Um*r**o us*s t** *ostn*m* suppli** wit*in t** r*qu*st *ost *****r w**n *uil*in* * p*sswor* r*s*t URL. It m*y ** possi*l* to m*nipul*t* t** URL s*nt to Um*r**o us*rs w**n so t**t it points to t** *tt**k*rs

Reasoning

T** vuln*r**ility ***in involv*s t*r** k*y *un*tions: *) `**t*ppli**tionUrl*rom*urr*ntR*qu*st` *ir**tly us*s t** untrust** *ost *****r to *uil* URLs. *) `*nsur**ppli**tionM*inUrl` p*rsists t*is v*lu* syst*m-wi**. *) `*onstru*t**ll***kUrl` us*s t** po

7.4

Basic Information

Concerned about an active attack path?

CVE-2022-22691: Umbraco Persistent Password Reset Poison

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-22691:
Umbraco Persistent Password Reset Poison

Vulnerability Intelligence
Miggo AI