CVE-2025-66492

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e
https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc

Configurations

No configuration.

History

12 Dec 2025, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-12 05:16

Updated : 2025-12-12 15:17

NVD link : CVE-2025-66492

Mitre link : CVE-2025-66492

CVE.ORG link : CVE-2025-66492

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

8.2 /10