Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fails to properly sanitize or parameterize this input before incorporating it into dynamic SQL statements. An unauthenticated remote attacker can execute arbitrary SQL commands against the database, potentially gaining access to sensitive data, modifying or deleting records, or escalating privileges to administrative control.
This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, configure WAF rules to block malicious SQL patterns in the sortBy parameter sent to beanFeed.cfc.
AnalysisAI
SQL injection in Masa CMS 7.5.2 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands via the sortBy parameter in beanFeed.cfc. The vulnerability enables database compromise including sensitive data exfiltration, record manipulation, and privilege escalation to administrative control. Fixed versions released for all affected branches (7.2.10, 7.3.15, 7.4.10, 7.5.3). CVSS 9.3 reflects network vector with no authentication required and high impact across confidentiality, integrity, and availability. No active exploitation confirmed at time of analysis, though the attack surface is fully exposed to internet-facing instances.
Technical ContextAI
The vulnerability resides in the beanFeed.cfc ColdFusion component's getQuery function, which constructs dynamic SQL queries using unsanitized user input from the sortBy parameter. CWE-89 (SQL Injection) occurs when applications concatenate or interpolate untrusted data directly into SQL statements rather than using parameterized queries or prepared statements. In ColdFusion applications, this typically manifests when cfquery tags use string concatenation with form or URL parameters. The affected component cpe:2.3:a:masacms:masacms handles content feed generation, suggesting the sortBy parameter controls result ordering in database queries. Without proper input validation or query parameterization, attackers can inject SQL metacharacters to break out of the intended query context and execute arbitrary SQL commands against the underlying database (likely MySQL, MSSQL, or similar RDBMS commonly used with ColdFusion).
RemediationAI
Upgrade immediately to patched versions: 7.2.10 for 7.2.x branch, 7.3.15 for 7.3.x branch, 7.4.10 for 7.4.x branch, or 7.5.3 for 7.5.x branch as documented in GitHub Security Advisory GHSA-3xpq-q494-8qq4. The vendor has backported fixes across all maintained release lines enabling in-place upgrades without major version migration. For environments unable to patch immediately, implement Web Application Firewall rules targeting the sortBy parameter in requests to beanFeed.cfc endpoints - specifically blocking SQL metacharacters (single quotes, semicolons, UNION keywords, comment sequences) and common injection patterns. Note that WAF-based mitigation provides defense-in-depth only and may be bypassed via encoding or obfuscation techniques; this is a temporary measure only until patching completes. Review database permissions for the ColdFusion application's database user account and reduce to minimum required privileges to limit post-exploitation impact. Audit application logs for suspicious sortBy parameter values indicating exploitation attempts prior to patching.
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 a
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerabl
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the
SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database cont
SQL injection in Masa CMS beanFeed.cfc allows unauthenticated remote attackers to extract sensitive database contents, m
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27478