CVE-2024-32641
Masa CMS · Masa CMS
Masa CMS contains a remote code execution vulnerability in the addParam function, allowing unauthenticated attackers to execute arbitrary code via the m tag in the criteria parameter.
Executive summary
An unauthenticated remote code execution vulnerability in Masa CMS allows attackers to compromise the entire platform via malicious input.
Vulnerability
The vulnerability resides in the addParam function, which improperly validates user input provided via the criteria parameter. This input is processed by setDynamicContent, enabling an unauthenticated attacker to inject and execute arbitrary code using the m tag.
Business impact
The CVSS score of 9.8 reflects the critical nature of this flaw, as it permits full system compromise without requiring authentication. Successful exploitation leads to unauthorized code execution, potential data breaches, and total loss of confidentiality, integrity, and availability of the content management system and its hosted data.
Remediation
Immediate Action: Upgrade Masa CMS immediately to version 7.2.8, 7.3.13, or 7.4.6 to apply the necessary security patches.
Proactive Monitoring: Inspect web server logs for suspicious m tag injections or unexpected activity associated with the criteria parameter.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block malicious input patterns targeting known CMS vulnerabilities.
Exploitation status
Public Exploit Available: N/A
Analyst recommendation
Remote code execution vulnerabilities in content management systems are high-priority targets for automated exploitation. Organizations running Masa CMS must perform the recommended updates immediately to prevent unauthorized access and potential system takeover.