PT-2026-38229 · Masacms · Masacms
Guustnieuwenhuis
·
Published
2026-05-06
·
Updated
2026-05-07
·
CVE-2026-40326
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Masa CMS versions prior to 7.2.10
Masa CMS versions prior to 7.3.15
Masa CMS versions prior to 7.4.10
Masa CMS versions prior to 7.5.3
Description
The
createBundle() function in csettings.cfc fails to properly validate anti-CSRF (Cross-Site Request Forgery) tokens during site bundle creation requests. This allows an attacker to trick a logged-in administrator into triggering the silent creation of a site bundle via a malicious webpage or link. The resulting bundle is stored in a predictable, publicly accessible web directory, enabling an unauthenticated attacker to retrieve sensitive information, including site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data.Recommendations
Update to version 7.2.10.
Update to version 7.3.15.
Update to version 7.4.10.
Update to version 7.5.3.
Remove unexpected bundle files from public directories.
Restrict access to the affected endpoint.
Limit exposure of administrative sessions.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Masacms