CVE-2024-32642

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-32642

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32642.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-32642

Aliases

GHSA-qjm6-c8hx-ffh8

Published

2025-12-03T16:37:53.409Z

Modified

2026-03-03T02:52:46.791590Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Host header poisoning allows account takeover via password reset email

Details

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32642.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-346",
        "CWE-640"
    ]
}

References

Affected packages

Git / github.com/masacms/masacms

Affected ranges

Type: GIT
Repo: https://github.com/masacms/masacms
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7541b9c99fb9e32d1de6f2658750525cec1d8960

Introduced

484759c901bb04016eb8493d31dcf9dcdf129020

Fixed

2ebf767d40d04562417a0e0442d1c1988078a3c6

Introduced

53d53e7c120068ce1102215805238ab19027fb58

Fixed

fb10af6238e3e2e9aae8afce933ca6407d092fde

Affected versions

7.*

7.3

7.3.1

7.3.10

7.3.11

7.3.12

7.3.2

7.3.3

7.3.4

7.3.5

7.3.6

7.3.7

7.3.8

7.3.9

7.4.0

7.4.0-alpha.1

7.4.0-alpha.2

7.4.0-beta.1

7.4.0-beta.2

7.4.0-beta.3

7.4.1

7.4.2

7.4.3

7.4.4

7.4.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32642.json"