CVE-2025-66492
中文标题:
(暂无数据)
英文标题:
Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter
漏洞描述
中文描述:
(暂无数据)
英文描述:
Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| MasaCMS | MasaCMS | < 7.2.9 | - | - |
cpe:2.3:a:masacms:masacms:<_7.2.9:*:*:*:*:*:*:*
|
| MasaCMS | MasaCMS | >= 7.3.1, < 7.3.14 | - | - |
cpe:2.3:a:masacms:masacms:>=_7.3.1,_<_7.3.14:*:*:*:*:*:*:*
|
| MasaCMS | MasaCMS | >= 7.4.0-alpha.1, < 7.4.8 | - | - |
cpe:2.3:a:masacms:masacms:>=_7.4.0-alpha.1,_<_7.4.8:*:*:*:*:*:*:*
|
| MasaCMS | MasaCMS | >= 7.5.0, < 7.5.2 | - | - |
cpe:2.3:a:masacms:masacms:>=_7.5.0,_<_7.5.2:*:*:*:*:*:*:*
|
| masacms | masacms | * | - | - |
cpe:2.3:a:masacms:masacms:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-66492 |
2025-12-19 03:24:10 | 2026-01-12 02:12:25 |
| NVD | nvd_CVE-2025-66492 |
2025-12-23 04:10:44 | 2026-01-12 02:28:04 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 4 -> 5
- data_sources: ['cve'] -> ['cve', 'nvd']