Masa CMS XSS Vulnerability

Masa CMS is an open-source Enterprise Content Management platform. It's a web application that allows users to create, manage, and publish content. However, due to a vulnerability in its rendering logic, Masa CMS can be exploited by attackers to execute arbitrary scripts in the context of a user's session, potentially leading to Session Hijacking, Data Theft, Defacement, and Malware Distribution.

You're affected if you use Masa CMS. Affected versions: 7.2.8, 7.4.8, 7.5.1, 7.3.13 If you don't recognise this software, you're probably not affected.

To fix this vulnerability, upgrade to a patched version of Masa CMS. The fixed versions are:

• 7.5.2
• 7.4.9
• 7.3.14
• 7.2.9

You can download the patches from the official GitHub repository: https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e.

Immediate mitigations include:

• Configuring a Web Application Firewall (WAF) rule to block requests containing common XSS payload characters in the ajax query parameter.
• Implementing server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.

• github.com
• github.com