Masa CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-66492 - Vulnerability Database

Masa CMS

Masa CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-66492

Medium

Reference: CVE-2025-66492

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-66492

Title: Masa CMS Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below 7.3.1 through 7.3.13 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the ltheadgt section of the HTML page. An attacker can execute arbitrary scripts in the context of the user39s session potentially leading to Session Hijacking Data Theft Defacement and Malware Distribution. This issue is fixed in versions 7.5.2 7.4.9 7.3.14 and 7.2.9. To work around this issue configure a Web Application Firewall (WAF) rule (e.g. ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.