CVE-2024-32642
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MasaCMS | MasaCMS | >= 7.4.0, < 7.4.6 | affected |
| MasaCMS | MasaCMS | >= 7.3.0, < 7.3.13 | affected |
| MasaCMS | MasaCMS | < 7.2.8 | affected |
Weaknesses
- CWE-346: CWE-346: Origin Validation Error
- CWE-640: CWE-640: Weak Password Recovery Mechanism for Forgotten Password
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8
- https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.