CVE-2024-32641

Masa CMS · Masa CMS

Masa CMS contains a remote code execution vulnerability in the addParam function, allowing unauthenticated attackers to execute arbitrary code via the m tag in the criteria parameter.

Executive summary

An unauthenticated remote code execution vulnerability in Masa CMS allows attackers to compromise the entire platform via malicious input.

Vulnerability

The vulnerability resides in the addParam function, which improperly validates user input provided via the criteria parameter. This input is processed by setDynamicContent, enabling an unauthenticated attacker to inject and execute arbitrary code using the m tag.

Business impact

The CVSS score of 9.8 reflects the critical nature of this flaw, as it permits full system compromise without requiring authentication. Successful exploitation leads to unauthorized code execution, potential data breaches, and total loss of confidentiality, integrity, and availability of the content management system and its hosted data.

Remediation

Immediate Action: Upgrade Masa CMS immediately to version 7.2.8, 7.3.13, or 7.4.6 to apply the necessary security patches.

Proactive Monitoring: Inspect web server logs for suspicious m tag injections or unexpected activity associated with the criteria parameter.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block malicious input patterns targeting known CMS vulnerabilities.

Exploitation status

Public Exploit Available: N/A

Analyst recommendation

Remote code execution vulnerabilities in content management systems are high-priority targets for automated exploitation. Organizations running Masa CMS must perform the recommended updates immediately to prevent unauthorized access and potential system takeover.