Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations.
An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint
AnalysisAI
Cross-site request forgery (CSRF) in Masa CMS 7.5.2 and earlier allows remote attackers to manipulate user address records through forged requests when authenticated administrators interact with malicious content. The cUsers.updateAddress function lacks proper anti-CSRF token validation, enabling unauthorized addition, modification, or deletion of email addresses, phone numbers, and other contact data. Patches available in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. EPSS data not provided; no CISA KEV listing indicates targeted rather than widespread exploitation; no public exploit identified at time of analysis.
Technical ContextAI
This vulnerability affects Masa CMS, a content management platform forked from Mura CMS. The flaw exists in the cUsers.updateAddress function, which handles administrative operations for managing user contact information within the CMS user directory. The root cause is CWE-352 (Cross-Site Request Forgery), where the application fails to validate anti-CSRF tokens that verify the authenticity of state-changing requests. Without proper token validation, the server cannot distinguish between legitimate administrator actions and forged requests originating from attacker-controlled sites. CSRF attacks exploit the browser's automatic inclusion of session cookies, allowing attackers to piggyback on valid administrative sessions. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:P) indicates network-based exploitation with low attack complexity requiring no privileges but user interaction, while VI:H (high integrity impact on vulnerable system) reflects the ability to corrupt critical user data.
RemediationAI
Upgrade to patched versions: 7.2.10 for 7.2.x branch, 7.3.15 for 7.3.x branch, 7.4.10 for 7.4.x branch, or 7.5.3 for 7.5.x branch. Vendor advisory at https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-572m-p246-4356 provides download links for patched releases. If immediate patching is not feasible, implement the following compensating controls: restrict administrative backend access to trusted IP ranges using firewall rules or web application firewall policies (reduces attack surface but limits administrative flexibility for remote work); enforce browser isolation or dedicated administrative workstations that do not browse external sites during CMS sessions (prevents CSRF delivery but increases operational overhead); deploy web application firewall rules to validate referer headers and block cross-origin requests to /admin/cUsers/updateAddress endpoints (may break legitimate cross-domain integrations if present). Note that workarounds only reduce risk and should be temporary measures until patching is complete.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28154