Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in csettings.cfc does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions.
AnalysisAI
Cross-Site Request Forgery in Masa CMS allows unauthenticated attackers to force logged-in administrators to create site bundles containing sensitive data including password hashes, user accounts, and configuration details. The bundles are saved to predictable public directories where any unauthenticated attacker can download them. This vulnerability affects versions 7.5.2 and earlier across multiple release branches. Fixed versions are available: 7.2.10, 7.3.15, 7.4.10, and 7.5.3. CVSS 7.1 HIGH with network attack vector requiring user interaction but no authentication.
Technical ContextAI
The vulnerability exists in the createBundle method within csettings.cfc (ColdFusion Component) of Masa CMS, a content management system forked from Mura CMS. The affected method lacks proper anti-CSRF token validation when processing site bundle creation requests. CWE-352 (Cross-Site Request Forgery) occurs when a web application does not verify that a request was intentionally submitted by the authenticated user. In this case, the application fails to verify CSRF tokens on a state-changing administrative function. The vulnerability allows attackers to leverage the administrator's existing authenticated session through social engineering, causing the application to create comprehensive site exports without cryptographic verification of request legitimacy. The bundles are written to publicly accessible web directories with predictable paths, compounding the exposure by eliminating the need for authenticated access to retrieve the exfiltrated data.
RemediationAI
Upgrade to patched versions immediately: 7.2.10, 7.3.15, 7.4.10, or 7.5.3 depending on your current release branch. Vendor security advisory with upgrade guidance available at https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-622v-h7vf-w4gm. If immediate patching is not feasible, implement these compensating controls: (1) Audit and remove any unexpected bundle files from public web directories - check for .zip or .tar files in predictable bundle output locations; (2) Configure web server rules to deny public access to bundle creation endpoints (specifically the csettings.cfc createBundle method) - restrict access to trusted IP ranges only; (3) Enforce network segmentation so administrators access the CMS only from isolated management networks, reducing CSRF attack surface; (4) Implement Content Security Policy headers to restrict cross-origin requests. Trade-offs: IP restriction may interfere with legitimate remote administration; removing public directory access to bundles will break any automated backup processes that retrieve bundles via HTTP. After patching, verify CSRF token implementation is functioning by testing bundle creation with tampered tokens.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28161