Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter
Vulnerability Description
Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Masa CMS 跨站脚本漏洞
Vulnerability Description
Masa CMS是一个数字体验平台。 Masa CMS 7.2.8及之前版本、7.3.1至7.3.13版本、7.4.0-alpha.1至7.4.8版本和7.5.0至7.5.1版本存在跨站脚本漏洞,该漏洞源于ajax URL查询参数未清理直接包含在HTML页面head部分,可能导致跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A