PT-2026-38254 · Masacms · Masacms
Danhle5402
+1
·
Published
2026-05-06
·
Updated
2026-05-12
·
CVE-2026-40332
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Masa CMS versions prior to 7.2.10
Masa CMS versions prior to 7.3.15
Masa CMS versions prior to 7.4.10
Masa CMS versions prior to 7.5.3
Description
Improper handling of scheme-relative URLs allows for an open redirect. The application incorrectly interprets paths starting with double slashes (//) as internal paths and fails to validate the redirect target before processing. This allows an attacker to craft a URL on the trusted domain that redirects users to an external site, which can be used for phishing or exposing tokens and sensitive data during authentication flows.
Recommendations
Update to version 7.2.10.
Update to version 7.3.15.
Update to version 7.4.10.
Update to version 7.5.3.
Reject or rewrite redirect parameters that begin with //.
Disable
forceDirectoryStructure if compatible with the deployment.Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Masacms