CVE-2025-66492

Name of the Vulnerable Software and Affected Versions Masa CMS versions 7.2.8 and below Masa CMS versions 7.3.1 through 7.3.13 Masa CMS versions 7.4.0-alpha.1 through 7.4.8 Masa CMS versions 7.5.0 through 7.5.1

Description Masa CMS, an open source Enterprise Content Management platform, is susceptible to a Cross-Site Scripting (XSS) issue. The issue occurs when an unsanitized value from the ajax URL query parameter is directly included within the <head> section of the HTML page. This allows an attacker to execute arbitrary scripts within the user's session, potentially leading to Session Hijacking, Data Theft, Defacement, and Malware Distribution. The ajax parameter is vulnerable to the inclusion of malicious code.

Recommendations Masa CMS version 7.2.9 or later Masa CMS version 7.3.14 or later Masa CMS version 7.4.9 or later Masa CMS version 7.5.2 or later Configure a Web Application Firewall (WAF) rule, such as ModSecurity, to block requests containing common XSS payload characters in the ajax query parameter. Implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.