CVE-2022-22691: Umbraco Persistent Password Reset Poison

January 21, 2022

The password reset component deployed within Umbraco uses the hostname supplied within the request host header when building a password reset URL.See the AppCheck advisory for further information and associated caveats.

References

appcheck-ng.com/umbraco-applicationurl-overwrite-persistent-password-reset-poison-cve-2022-22690-cve-2022-22691/
github.com/advisories/GHSA-r8pr-83cc-ccv7
nvd.nist.gov/vuln/detail/CVE-2022-22691

Code Behaviors & Features

Detect and mitigate CVE-2022-22691 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →