Ocssor

**Name of the Vulnerable Software and Affected Versions** Masa CMS versions 7.2.8 and below Masa CMS versions 7.3.1 through 7.3.13 Masa CMS versions 7.4.0-alpha.1 through 7.4.8 Masa CMS versions 7.5.0 through 7.5.1 **Description** Masa CMS, an open source Enterprise Content Management platform, is susceptible to a Cross-Site Scripting (XSS) issue. The issue occurs when an unsanitized value from the `ajax` URL query parameter is directly included within the `<head>` section of the HTML page. This allows an attacker to execute arbitrary scripts within the user's session, potentially leading to Session Hijacking, Data Theft, Defacement, and Malware Distribution. The `ajax` parameter is vulnerable to the inclusion of malicious code. **Recommendations** Masa CMS version 7.2.9 or later Masa CMS version 7.3.14 or later Masa CMS version 7.4.9 or later Masa CMS version 7.5.2 or later Configure a Web Application Firewall (WAF) rule, such as ModSecurity, to block requests containing common XSS payload characters in the `ajax` query parameter. Implement server-side sanitization using middleware to strip or escape dangerous characters from the `ajax` parameter before it reaches the vulnerable rendering logic.