Masa CMS Authentication Bypass Vulnerability via Tag URL Modification

An authentication bypass vulnerability has been identified in Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6. When a page is restricted to specific user groups, it typically requires users to log in before accessing the content. However, by modifying the URL to include a '/tag/' declaration, the CMS will bypass these group restrictions and render the page content. This issue allows unauthorized users to access pages that should require authentication.

Impact

Exploitation of this vulnerability leads to unauthorized access to restricted pages, allowing users to view content that should be behind a login requirement.

Reproduction

To reproduce this vulnerability, set up a Masa CMS instance and create a page with group access restrictions. After publishing the page, attempt to access it in a new browser or incognito window, which will prompt for authentication as expected. However, if the URL is modified to include a '/tag/' declaration, the page will be rendered without requiring login, bypassing the access restrictions.

Remediation

Users can update to Masa CMS versions 7.2.8, 7.3.13, or 7.4.6 to address this vulnerability.