CVE-2025-66492

EPSS 0.21%
Veröffentlicht 12.12.2025 04:50:00
Zuletzt bearbeitet 22.12.2025 18:46:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 4 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Masacms ≫ Masacms Version < 7.2.9

Masacms ≫ Masacms Version >= 7.3.1 < 7.3.14

Masacms ≫ Masacms Version >= 7.4.0 < 7.4.9

Masacms ≫ Masacms Version >= 7.5.0 < 7.5.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.11

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	8.2	2.8	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc

Patch

Vendor Advisory

https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-66492

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66492

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66492

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-66492