Masacms
Monthly
SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database contents including administrative credentials and password reset tokens. The JSON API accepts unsanitized altTable parameters that are directly interpolated into SQL FROM clauses, enabling arbitrary subquery injection via feedGateway.cfc in a single HTTP request. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. No public exploit or CISA KEV listing identified at time of analysis, but the technical details disclosed in the GitHub Security Advisory provide sufficient information for weaponization.
SQL injection in Masa CMS beanFeed.cfc allows unauthenticated remote attackers to extract sensitive database contents, modify records, delete data, or potentially execute code on the database server. The vulnerability affects multiple release branches (7.2.x through 7.5.x) and stems from unsanitized concatenation of the sortDirection parameter directly into SQL queries. With CVSS 9.3 (critical severity, network-accessible, no authentication required) and no public exploit currently identified, this represents a high-priority patching scenario for internet-facing Masa CMS deployments. Vendor-released patches are available across all affected branches.
SQL injection in Masa CMS 7.5.2 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands via the sortBy parameter in beanFeed.cfc. The vulnerability enables database compromise including sensitive data exfiltration, record manipulation, and privilege escalation to administrative control. Fixed versions released for all affected branches (7.2.10, 7.3.15, 7.4.10, 7.5.3). CVSS 9.3 reflects network vector with no authentication required and high impact across confidentiality, integrity, and availability. No active exploitation confirmed at time of analysis, though the attack surface is fully exposed to internet-facing instances.
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.
SQL injection in Masa CMS 7.2.x through 7.5.2 allows unauthenticated remote attackers to extract sensitive database contents including administrative credentials and password reset tokens. The JSON API accepts unsanitized altTable parameters that are directly interpolated into SQL FROM clauses, enabling arbitrary subquery injection via feedGateway.cfc in a single HTTP request. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. No public exploit or CISA KEV listing identified at time of analysis, but the technical details disclosed in the GitHub Security Advisory provide sufficient information for weaponization.
SQL injection in Masa CMS beanFeed.cfc allows unauthenticated remote attackers to extract sensitive database contents, modify records, delete data, or potentially execute code on the database server. The vulnerability affects multiple release branches (7.2.x through 7.5.x) and stems from unsanitized concatenation of the sortDirection parameter directly into SQL queries. With CVSS 9.3 (critical severity, network-accessible, no authentication required) and no public exploit currently identified, this represents a high-priority patching scenario for internet-facing Masa CMS deployments. Vendor-released patches are available across all affected branches.
SQL injection in Masa CMS 7.5.2 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands via the sortBy parameter in beanFeed.cfc. The vulnerability enables database compromise including sensitive data exfiltration, record manipulation, and privilege escalation to administrative control. Fixed versions released for all affected branches (7.2.10, 7.3.15, 7.4.10, 7.5.3). CVSS 9.3 reflects network vector with no authentication required and high impact across confidentiality, integrity, and availability. No active exploitation confirmed at time of analysis, though the attack surface is fully exposed to internet-facing instances.
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.