Search criteria
7 vulnerabilities by masacms
CVE-2025-66492 (GCVE-0-2025-66492)
Vulnerability from cvelistv5 – Published: 2025-12-12 04:50 – Updated: 2025-12-18 20:37
VLAI?
Title
Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter
Summary
Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.
Severity ?
8.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T20:37:03.542013Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T20:37:13.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MasaCMS",
"vendor": "MasaCMS",
"versions": [
{
"status": "affected",
"version": "\u003c 7.2.9"
},
{
"status": "affected",
"version": "\u003e= 7.3.1, \u003c 7.3.14"
},
{
"status": "affected",
"version": "\u003e= 7.4.0-alpha.1, \u003c 7.4.8"
},
{
"status": "affected",
"version": "\u003e= 7.5.0, \u003c 7.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the \u003chead\u003e section of the HTML page. An attacker can execute arbitrary scripts in the context of the user\u0027s session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T04:50:00.637Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e"
}
],
"source": {
"advisory": "GHSA-249c-vqwv-43vc",
"discovery": "UNKNOWN"
},
"title": "Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66492",
"datePublished": "2025-12-12T04:50:00.637Z",
"dateReserved": "2025-12-02T22:44:04.708Z",
"dateUpdated": "2025-12-18T20:37:13.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32643 (GCVE-0-2024-32643)
Vulnerability from cvelistv5 – Published: 2025-12-03 16:43 – Updated: 2025-12-03 21:25
VLAI?
Title
Masa CMS vulnerable to authentication bypass with /tag/
Summary
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Severity ?
7.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32643",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:25:43.095337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:25:54.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MasaCMS",
"vendor": "MasaCMS",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 7.4.6"
},
{
"status": "affected",
"version": "\u003e= 7.3.0, \u003c 7.3.13"
},
{
"status": "affected",
"version": "\u003c 7.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:43:31.983Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-f469-jh82-97fv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-f469-jh82-97fv"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/d1a2e57ef8dbc50c87b178eacc85fcccb05f5b6c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/d1a2e57ef8dbc50c87b178eacc85fcccb05f5b6c"
}
],
"source": {
"advisory": "GHSA-f469-jh82-97fv",
"discovery": "UNKNOWN"
},
"title": "Masa CMS vulnerable to authentication bypass with /tag/"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32643",
"datePublished": "2025-12-03T16:43:31.983Z",
"dateReserved": "2024-04-16T14:15:26.874Z",
"dateUpdated": "2025-12-03T21:25:54.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32642 (GCVE-0-2024-32642)
Vulnerability from cvelistv5 – Published: 2025-12-03 16:37 – Updated: 2025-12-03 16:50
VLAI?
Title
Host header poisoning allows account takeover via password reset email
Summary
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32642",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T16:50:28.932386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:50:44.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MasaCMS",
"vendor": "MasaCMS",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 7.4.6"
},
{
"status": "affected",
"version": "\u003e= 7.3.0, \u003c 7.3.13"
},
{
"status": "affected",
"version": "\u003c 7.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:37:53.409Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960"
}
],
"source": {
"advisory": "GHSA-qjm6-c8hx-ffh8",
"discovery": "UNKNOWN"
},
"title": "Host header poisoning allows account takeover via password reset email"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32642",
"datePublished": "2025-12-03T16:37:53.409Z",
"dateReserved": "2024-04-16T14:15:26.874Z",
"dateUpdated": "2025-12-03T16:50:44.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32641 (GCVE-0-2024-32641)
Vulnerability from cvelistv5 – Published: 2025-12-03 16:26 – Updated: 2025-12-03 16:31
VLAI?
Title
Masa CMS Vulnerable to Pre-Auth RCE via JSON API
Summary
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.
Severity ?
9.8 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32641",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T16:31:34.466457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:31:42.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MasaCMS",
"vendor": "MasaCMS",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 7.4.6"
},
{
"status": "affected",
"version": "\u003e= 7.3.0, \u003c 7.3.13"
},
{
"status": "affected",
"version": "\u003c 7.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:26:00.795Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6"
}
],
"source": {
"advisory": "GHSA-cj9g-v5mq-qrjm",
"discovery": "UNKNOWN"
},
"title": "Masa CMS Vulnerable to Pre-Auth RCE via JSON API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32641",
"datePublished": "2025-12-03T16:26:00.795Z",
"dateReserved": "2024-04-16T14:15:26.874Z",
"dateUpdated": "2025-12-03T16:31:42.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32640 (GCVE-0-2024-32640)
Vulnerability from cvelistv5 – Published: 2025-08-11 20:38 – Updated: 2025-12-03 16:03
VLAI?
Title
MasaCMS SQL Injection vulnerability
Summary
MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.5, 7.3.12, and 7.2.7 contain a fix for the issue.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T20:59:02.553186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T20:59:20.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MasaCMS",
"vendor": "MasaCMS",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 7.4.5"
},
{
"status": "affected",
"version": "\u003e= 7.3.0, \u003c 7.3.12"
},
{
"status": "affected",
"version": "\u003c 7.2.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.5, 7.3.12, and 7.2.7 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.5, 7.3.12, and 7.2.7 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:03:56.147Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-24rr-gwx3-jhqc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-24rr-gwx3-jhqc"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/259fc6061d022d5025a3289a3f8de9852ad9c91d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/259fc6061d022d5025a3289a3f8de9852ad9c91d"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/280489e2d6c8daf5022fdb0225235462dd9d4534",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/280489e2d6c8daf5022fdb0225235462dd9d4534"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/3d6319b8775bb6438bc822d845926990511f5075",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/3d6319b8775bb6438bc822d845926990511f5075"
},
{
"name": "https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Stuub/CVE-2024-32640-SQLI-MuraCMS"
},
{
"name": "https://projectdiscovery.io/blog/hacking-apple-with-sql-injection?ref=projectdiscovery-io-blog-newsletter",
"tags": [
"x_refsource_MISC"
],
"url": "https://projectdiscovery.io/blog/hacking-apple-with-sql-injection?ref=projectdiscovery-io-blog-newsletter"
},
{
"name": "https://www.seebug.org/vuldb/ssvid-99835",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.seebug.org/vuldb/ssvid-99835"
}
],
"source": {
"advisory": "GHSA-24rr-gwx3-jhqc",
"discovery": "UNKNOWN"
},
"title": "MasaCMS SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32640",
"datePublished": "2025-08-11T20:38:56.268Z",
"dateReserved": "2024-04-16T14:15:26.874Z",
"dateUpdated": "2025-12-03T16:03:56.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-47002 (GCVE-0-2022-47002)
Vulnerability from cvelistv5 – Published: 2023-02-01 00:00 – Updated: 2024-08-03 14:47
VLAI?
Summary
A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:47:27.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/MasaCMS/MasaCMS/releases/tag/7.3.10"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.hoyahaxa.com/2023/01/preliminary-security-advisory.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.hoyahaxa.com/2023/03/authentication-bypass-mura-masa.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T12:34:03.234636",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MasaCMS/MasaCMS/releases/tag/7.3.10"
},
{
"url": "https://www.hoyahaxa.com/2023/01/preliminary-security-advisory.html"
},
{
"url": "https://www.hoyahaxa.com/2023/03/authentication-bypass-mura-masa.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-47002",
"datePublished": "2023-02-01T00:00:00",
"dateReserved": "2022-12-12T00:00:00",
"dateUpdated": "2024-08-03T14:47:27.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-42183 (GCVE-0-2021-42183)
Vulnerability from cvelistv5 – Published: 2022-05-05 13:02 – Updated: 2024-08-04 03:30
VLAI?
Summary
MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:30:37.486Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/MasaCMS/MasaCMS"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/MasaCMS/MasaCMS/blob/9bff7989ab902b2c42499bd4d1582e30d1ec4fe9/core/mura/content/file/fileManager.cfc#L368"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/0xRaw/CVE-2021-42183"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-09T10:22:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/blob/9bff7989ab902b2c42499bd4d1582e30d1ec4fe9/core/mura/content/file/fileManager.cfc#L368"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xRaw/CVE-2021-42183"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-42183",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/MasaCMS/MasaCMS",
"refsource": "MISC",
"url": "https://github.com/MasaCMS/MasaCMS"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/blob/9bff7989ab902b2c42499bd4d1582e30d1ec4fe9/core/mura/content/file/fileManager.cfc#L368",
"refsource": "MISC",
"url": "https://github.com/MasaCMS/MasaCMS/blob/9bff7989ab902b2c42499bd4d1582e30d1ec4fe9/core/mura/content/file/fileManager.cfc#L368"
},
{
"name": "https://github.com/0xRaw/CVE-2021-42183",
"refsource": "MISC",
"url": "https://github.com/0xRaw/CVE-2021-42183"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-42183",
"datePublished": "2022-05-05T13:02:49",
"dateReserved": "2021-10-11T00:00:00",
"dateUpdated": "2024-08-04T03:30:37.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}