CVE-2025-66492— Masa CMS 跨站脚本漏洞

Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Masa CMS 跨站脚本漏洞

Masa CMS是一个数字体验平台。 Masa CMS 7.2.8及之前版本、7.3.1至7.3.13版本、7.4.0-alpha.1至7.4.8版本和7.5.0至7.5.1版本存在跨站脚本漏洞，该漏洞源于ajax URL查询参数未清理直接包含在HTML页面head部分，可能导致跨站脚本攻击。

N/A

N/A