PT-2026-38228 · Masacms · Masacms
Highguustnieuwenhuis
·
Published
2026-05-06
·
Updated
2026-05-07
·
CVE-2026-40325
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Masa CMS versions prior to 7.2.10
Masa CMS versions prior to 7.3.15
Masa CMS versions prior to 7.4.10
Masa CMS versions prior to 7.5.3
Description
The
cTrash.restore function fails to properly validate anti-CSRF (Cross-Site Request Forgery) tokens during content restoration requests. This allows an attacker to deceive an authenticated administrator into submitting a forged request to restore deleted items. By manipulating the parentid parameter, the attacker can place restored items in a location of their choosing within the site structure. This may lead to the restoration of malicious or outdated content, exposure of sensitive documents in public areas, and disruption of site integrity.Recommendations
Update to version 7.2.10.
Update to version 7.3.15.
Update to version 7.4.10.
Update to version 7.5.3.
Restrict access to the administrative backend.
Use browser isolation for administrative sessions.
Regularly empty the trash to reduce the amount of content available for unauthorized restoration.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Masacms