CVE-2025-66492

Dec. 22, 2025, 6:46 p.m.

8.2
High

Description

Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.

Product(s) Impacted

Vendor Product Versions
Masacms
  • Masacms
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a masacms masacms / / / / / / / /
a masacms masacms / / / / / / / /
a masacms masacms / / / / / / / /
a masacms masacms / / / / / / / /

References

https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e
https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc

Tags

security-advisories@github.com
2025-12-12
CVE-2025-66492

CVSS Score

8.2 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

    View Vector String

Timeline

Published: Dec. 12, 2025, 5:16 a.m.
Last Modified: Dec. 22, 2025, 6:46 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.