CVE-2024-32642

Summary

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.

Affected Software

VendorProductVersion RangeStatus
MasaCMSMasaCMS>= 7.4.0, < 7.4.6affected
MasaCMSMasaCMS>= 7.3.0, < 7.3.13affected
MasaCMSMasaCMS< 7.2.8affected

Weaknesses

  • CWE-346: CWE-346: Origin Validation Error
  • CWE-640: CWE-640: Weak Password Recovery Mechanism for Forgotten Password

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References