Home

Description

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.

PUBLISHED Reserved 2024-04-16 | Published 2025-12-03 | Updated 2025-12-03 | Assigner GitHub_M




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-346: Origin Validation Error

CWE-640: Weak Password Recovery Mechanism for Forgotten Password

Product status

>= 7.4.0, < 7.4.6
affected

>= 7.3.0, < 7.3.13
affected

< 7.2.8
affected

References

github.com/...asaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8

github.com/...ommit/7541b9c99fb9e32d1de6f2658750525cec1d8960

cve.org (CVE-2024-32642)

nvd.nist.gov (CVE-2024-32642)