CVE-2022-33011 – CVE-2022-33011 is a host header injection vulne... (How to Fix)

Q: What is the severity of CVE-2022-33011?

CVE-2022-33011 has a CVSS score of 8.8 (HIGH). CVE-2022-33011 is a host header injection vulnerability in Known CMS that allows attackers to perform account takeover by manipulating password reset emails. Attackers can redirect password reset links to domains they control, enabling them to reset user passwords and take over accounts. This affects all Known CMS installations running vulnerable versions.

📋 TL;DR

CVE-2022-33011 is a host header injection vulnerability in Known CMS that allows attackers to perform account takeover by manipulating password reset emails. Attackers can redirect password reset links to domains they control, enabling them to reset user passwords and take over accounts. This affects all Known CMS installations running vulnerable versions.

💻 Affected Systems

Products:

Known CMS (idno/known)

Versions: v1.3.1+2020120201 and possibly earlier versions

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Any Known CMS installation with password reset functionality enabled is vulnerable. The vulnerability exists in how the application handles host headers during password reset email generation.

📦 What is this software?

Known by Withknown

View all CVEs affecting Known →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all user accounts, including administrative accounts, leading to full system control, data theft, and potential ransomware deployment.

🟠

Likely Case

Targeted account takeover of specific users, potentially leading to privilege escalation, data exfiltration, and lateral movement within the system.

🟢

If Mitigated

Limited impact with proper email validation and monitoring, though some user accounts may still be compromised if attackers target specific individuals.

🌐 Internet-Facing: HIGH - Web applications are directly exposed to internet-based attacks, making exploitation trivial for attackers who can reach the vulnerable endpoint.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but requires network access; external attackers pose greater threat due to password reset functionality typically being internet-accessible.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and can be performed with simple HTTP request manipulation. Public proof-of-concept exists in PayloadsAllTheThings repository showing account takeover through password reset poisoning.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after v1.3.1+2020120201 (check latest release)

Vendor Advisory: https://github.com/idno/known

Restart Required: No

Instructions:

1. Update Known CMS to the latest version. 2. If using composer: composer update idno/known. 3. If manual installation: download latest release from GitHub and replace files. 4. Clear any caches if applicable.

🔧 Temporary Workarounds

Host Header Validation

all

Implement strict host header validation in web server configuration or application code to reject malicious host headers

# Apache: SetEnvIf Host "^evil\.com$" bad_host
# Nginx: if ($host ~* "^evil\.com$") { return 403; }

Password Reset Domain Whitelist

all

Restrict password reset links to only use approved domains in application configuration

# In Known CMS configuration, add: $config['password_reset_domains'] = ['yourdomain.com'];

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block malicious host headers
Disable password reset functionality temporarily if not critical

🔍 How to Verify

Check if Vulnerable:

Test by sending password reset request with malicious Host header and checking if reset link points to attacker domain

Check Version:

php -r "include 'version.php'; echo \$version;" or check Known CMS admin panel

Verify Fix Applied:

After patching, repeat the test with malicious Host header - reset links should only contain legitimate domain

📡 Detection & Monitoring

Log Indicators:

Unusual host header values in HTTP logs
Multiple password reset requests from single IP
Password reset attempts with suspicious referrers

Network Indicators:

HTTP requests with manipulated Host headers
Outbound connections to suspicious domains after password reset

SIEM Query:

source="web_logs" AND (Host="*evil.com*" OR Host="*attacker*" OR Host contains IP address) AND uri="/account/password/reset"

📊 Metadata

CVE ID: CVE-2022-33011

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: July 8, 2022

Last Updated: November 21, 2024

🔗 References

https://blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-software/ Exploit,Third Party Advisory
https://github.com/idno/known Product,Third Party Advisory
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Account%20Takeover#account-takeover-through-password-reset-poisoning Exploit,Third Party Advisory
https://www.pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/ Third Party Advisory
https://blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-software/ Exploit,Third Party Advisory
https://github.com/idno/known Product,Third Party Advisory
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Account%20Takeover#account-takeover-through-password-reset-poisoning Exploit,Third Party Advisory
https://www.pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-33011, you might also want to check these: