CVE-2024-32643— Masa CMS vulnerable to authentication bypass with /tag/
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-32643
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Masa CMS vulnerable to authentication bypass with /tag/
Source: NVD (National Vulnerability Database)
Vulnerability Description
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Masa CMS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Masa CMS是一个数字体验平台。 Masa CMS 7.2.8之前版本、7.3.13之前版本和7.4.6之前版本存在安全漏洞,该漏洞源于修改页面URL包含tag声明时绕过组限制,可能导致未经授权的页面渲染。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-32643
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-32643
请登录查看更多情报信息。
Same Patch Batch · MasaCMS · 2025-12-03 · 3 CVEs total
| CVE-2024-32641 | 9.8 CRITICAL | Masa CMS Vulnerable to Pre-Auth RCE via JSON API |
| CVE-2024-32642 | 8.8 HIGH | Host header poisoning allows account takeover via password reset email |
IV. Related Vulnerabilities
Same product: MasaCMS
- CVE-2026-40332
Masa CMS open redirect via improper handling of scheme-relat - CVE-2026-40326
Masa CMS CSRF in site bundle creation allows unauthorized si - CVE-2026-40325
Masa CMS CSRF in content restoration allows unauthorized res - CVE-2026-40309
Masa CMS CSRF in trash management allows unauthorized perman - CVE-2026-40174
Masa CMS CSRF in user address management allows unauthorized
Same vendor: MasaCMS
- CVE-2026-40332
Masa CMS open redirect via improper handling of scheme-relat - CVE-2026-40326
Masa CMS CSRF in site bundle creation allows unauthorized si - CVE-2026-40325
Masa CMS CSRF in content restoration allows unauthorized res - CVE-2026-40309
Masa CMS CSRF in trash management allows unauthorized perman - CVE-2026-40174
Masa CMS CSRF in user address management allows unauthorized
Same weakness: CWE-863
- CVE-2026-42571
Privilege Escalation Attack affecting Pelican Web UI - CVE-2025-15633
HCL BigFix WebUI is affected by an improper authorization vu - CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2025-66170
Apache CloudStack: Any user can list backups that they shoul - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
V. Comments for CVE-2024-32643
No comments yet