Highguustnieuwenhuis

**Name of the Vulnerable Software and Affected Versions** Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3 **Description** The `cUsers.updateAddress()` function fails to properly validate anti-CSRF (Cross-Site Request Forgery) tokens during user address management operations. This allows an attacker to trick an authenticated administrator into submitting a forged request to add, modify, or delete user address records, such as email addresses and phone numbers. This could lead to the corruption of user directory data and the redirection of organizational communications. **Recommendations** Update to version 7.2.10. Update to version 7.3.15. Update to version 7.4.10. Update to version 7.5.3. Restrict access to the administrative backend. Use browser isolation for administrative sessions. Deploy filtering rules to block forged requests to the affected endpoint.

**Name of the Vulnerable Software and Affected Versions** Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3 **Description** The `cTrash.empty()` function fails to validate anti-CSRF (Cross-Site Request Forgery) tokens for trash management requests. This allows an attacker to trick an authenticated administrator into submitting a forged request that empties the trash, resulting in the permanent deletion of all deleted content and irreversible data loss. **Recommendations** Update to version 7.2.10. Update to version 7.3.15. Update to version 7.4.10. Update to version 7.5.3. Restrict access to the administrative backend. Use browser isolation for administrative sessions. Maintain current database backups to recover from unauthorized deletion.

**Name of the Vulnerable Software and Affected Versions** Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3 **Description** The `cTrash.restore` function fails to properly validate anti-CSRF (Cross-Site Request Forgery) tokens during content restoration requests. This allows an attacker to deceive an authenticated administrator into submitting a forged request to restore deleted items. By manipulating the `parentid` parameter, the attacker can place restored items in a location of their choosing within the site structure. This may lead to the restoration of malicious or outdated content, exposure of sensitive documents in public areas, and disruption of site integrity. **Recommendations** Update to version 7.2.10. Update to version 7.3.15. Update to version 7.4.10. Update to version 7.5.3. Restrict access to the administrative backend. Use browser isolation for administrative sessions. Regularly empty the trash to reduce the amount of content available for unauthorized restoration.