Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-29643
CVE-2024-29643:
PHP vulnerability analysis and mitigation
Overview
A Host Header Injection vulnerability was identified in Croogo version 3.0.2, tracked as CVE-2024-29643. The vulnerability specifically affects the feed.rss component of the content management system. The issue was discovered by Christ Bowel Bouchuen and was published on April 17, 2025 (Medium Blog).
Technical details
The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) and has received a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The issue stems from improper handling of the Host header in the feed.rss component, where the tag is dynamically generated using the Host header value, which can be fully controlled by an attacker (NVD, Medium Blog).
Impact
The vulnerability can lead to several security implications including injection of arbitrary domains in RSS feeds, malicious redirects in RSS readers and aggregators, brand spoofing and phishing opportunities, and potential application logic manipulation if the Host header is used in backend logic (Medium Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management