Overview
A critical remote code execution (RCE) vulnerability, identified as CVE-2024-32641, has been discovered in Masa CMS. This vulnerability affects versions prior to 7.2.8, 7.3.13, and 7.4.6. An unauthenticated attacker can exploit this flaw to execute arbitrary code on the affected server.
Technical Details
The vulnerability resides in the addParam function within Masa CMS. This function accepts user input through the criteria parameter. The input is subsequently passed to the setDynamicContent function, which evaluates the input. By crafting a malicious request containing specially crafted input within the m tag, an unauthenticated attacker can inject and execute arbitrary code on the server. This allows complete control of the affected system.
CVSS Analysis
The vulnerability has been assigned a CRITICAL severity rating and a CVSS score of 9.8. This score reflects the high risk associated with this vulnerability, given the ease of exploitation and the potential for significant impact.
Possible Impact
Successful exploitation of CVE-2024-32641 could lead to:
- Full system compromise
- Data theft and exfiltration
- Website defacement
- Malware distribution
- Denial-of-service (DoS) attacks
Mitigation and Patch Steps
The recommended mitigation is to immediately upgrade your Masa CMS installation to one of the following versions:
- 7.2.8 or later
- 7.3.13 or later
- 7.4.6 or later
These versions contain the necessary patches to address this vulnerability. Verify the upgrade was successful after installation.
References
- GitHub Commit: https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6
- GitHub Security Advisory: https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32641
