CVE-2024-32642
BaseFortify
Publication date: 2025-12-03
Last updated on: 2025-12-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| masacms | masacms | to 7.2.8 (exc) |
| masacms | masacms | From 7.3 (inc) to 7.3.13 (exc) |
| masacms | masacms | From 7.4.0 (inc) to 7.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Masa CMS is a host header poisoning issue that allows an attacker to take over user accounts by exploiting the password reset email functionality. By manipulating the host header, the attacker can influence the content or destination of the password reset email, potentially gaining unauthorized access to user accounts.
How can this vulnerability impact me? :
The vulnerability can lead to account takeover, allowing attackers to gain unauthorized access to user accounts. This can result in loss of confidentiality, integrity, and availability of user data and potentially the entire CMS system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Masa CMS to version 7.2.8, 7.3.13, or 7.4.6 or later, as these versions contain the fix for the host header poisoning vulnerability that allows account takeover via password reset email.