CVE-2022-33012
Description
CVE-2022-33012 is a host header injection vulnerability in Microweber v1.2.15 that enables an attacker to poison password reset links, leading to account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-33012 is a host header injection vulnerability in Microweber v1.2.15 that enables an attacker to poison password reset links, leading to account takeover.
Vulnerability
Overview
CVE-2022-33012 affects Microweber v1.2.15, a drag-and-drop website builder and CMS built on the PHP Laravel framework [1]. The vulnerability allows attackers to perform a host header injection attack, which can be used to conduct password reset poisoning and ultimately achieve account takeover [2][3]. The root cause is the application's failure to validate or sanitize the HTTP Host header when generating password reset emails, allowing an attacker to inject a malicious domain into the reset link [2][4].
Exploitation
Method
To exploit this vulnerability, an attacker intercepts the password reset request for a target victim and manipulates the Host header (or related headers like X-Forwarded-Host) to point to an attacker-controlled domain [2][4]. The application then generates a password reset email that includes a link using the spoofed host header. When the victim clicks the malicious link, the password reset token (typically included as a URL parameter) is either sent to the attacker's server or can be intercepted if the attacker hosts a phishing page at the spoofed domain [2][4]. No authentication is required for this attack; the attacker only needs to know the victim's email address and the ability to intercept or craft HTTP requests to the Microweber server.
Impact
Successful exploitation allows an attacker to obtain a valid password reset token for the victim's account. With this token, the attacker can reset the victim's password and log in as that user, effectively taking over the account [2][3]. This can lead to unauthorized access to sensitive user data, administrative control if the victim is an admin, and potential compromise of the entire Microweber site.
Mitigation
Status
The vulnerability was disclosed through a security researcher's blog post and confirmed by the vendor [3]. As of the publication date (November 22, 2022), users are advised to upgrade to a patched version of Microweber or implement workarounds such as strictly validating the Host header against a whitelist of allowed server names [2][4]. The current stable version (2.0) may have addressed this issue, but users running v1.2.15 or earlier should apply updates immediately.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
microweber/microweberPackagist | <= 1.2.15 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application improperly handles the Host header during password reset requests, allowing it to be injected."
Attack vector
An attacker can intercept a password reset request and inject a malicious Host header pointing to their own domain. The application then generates a password reset link using this injected Host header. When the victim clicks this link, the reset token is sent to the attacker's domain, enabling account takeover [ref_id=1].
Affected code
The vulnerability lies within the password reset functionality, specifically how the Host header is processed. The reference write-up describes modifying the Host header during a POST request to `/reset.php` to redirect the password reset link to an attacker-controlled domain [ref_id=1].
What the fix does
The patch is not provided in the bundle. However, the advisory indicates that the vulnerability is addressed by sanitizing the Host header during the password reset process. This prevents attackers from injecting arbitrary hostnames and redirecting password reset tokens to malicious sites [ref_id=1].
Preconditions
- inputThe attacker needs to know the victim's email address to initiate the password reset.
- networkThe attacker must be able to intercept and modify the HTTP request made by the victim or the server.
Reproduction
Intercept the password reset request in Burp Suite. Add or edit the following headers in Burp Suite: Host: [ATTACKER.DOMAIN.TLD], X-Forwarded-Host: [ATTACKER.DOMAIN.TLD] Forward the request with the modified header. Look for a password reset URL based on the host header like : https://[ATTACKER.DOMAIN.TLD]/reset-password.php?token=TOKEN [ref_id=1]
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-rp7f-fhm8-9hpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-33012ghsaADVISORY
- blog.jitendrapatro.me/cve-2022-33012-account-takeover-through-password-reset-poisoningghsaWEB
- github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Account%20TakeoverghsaWEB
- www.pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerabilityghsaWEB
- blog.jitendrapatro.me/cve-2022-33012-account-takeover-through-password-reset-poisoning/mitre
- www.pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/mitre
News mentions
0No linked articles in our index yet.