{"id":"CVE-2022-33012","details":"Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.","aliases":["GHSA-rp7f-fhm8-9hpf"],"modified":"2026-04-12T03:44:53.700116Z","published":"2022-11-22T14:15:10.377Z","references":[{"type":"ADVISORY","url":"https://www.pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/"},{"type":"PACKAGE","url":"https://github.com/microweber/microweber"},{"type":"EVIDENCE","url":"https://blog.jitendrapatro.me/cve-2022-33012-account-takeover-through-password-reset-poisoning/"},{"type":"EVIDENCE","url":"https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Account%20Takeover#account-takeover-through-password-reset-poisoning"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/microweber/microweber","events":[{"introduced":"0"},{"last_affected":"5eb846301d61b22eda84a997026d050a14a518f4"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.2.15"}],"cpe":"cpe:2.3:a:microweber:microweber:1.2.15:*:*:*:*:*:*:*"}}],"versions":["1.0.3","1.0.5-fix1","1.0.6","1.0.7-fix1","1.2.9","v1.2.10","v1.2.11","v1.2.12","v1.2.13","v1.2.15","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.2.8","v1.2.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-33012.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}