Masa CMS Cross-Site Scripting Vulnerability in the AJAX URL Query Parameter

A cross-site scripting (XSS) vulnerability has been identified in Masa CMS, an open-source enterprise content management platform. This issue affects versions 7.2.8 and below, as well as 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8, and 7.5.0 through 7.5.1. The vulnerability arises when an unsanitized value of the 'ajax' URL query parameter is directly included in the '<head>' section of the HTML page. This allows attackers to execute arbitrary scripts in the context of the user's session, potentially leading to session hijacking, data theft, defacement, and malware distribution.

Impact

Exploitation of this vulnerability allows for stored/reflected cross-site scripting, where injected JavaScript can be executed in the user's session context.

Reproduction

To reproduce this vulnerability, send a request to a Masa CMS application with a crafted 'ajax' query parameter that includes XSS payload characters. The unsanitized value will be rendered in the '<head>' section, executing the injected script.

Remediation

Users are advised to upgrade to Masa CMS versions 7.5.2, 7.4.9, 7.3.14, or 7.2.9. If an immediate upgrade is not possible, a Web Application Firewall (WAF) rule can be configured to block requests with common XSS payload characters in the 'ajax' query parameter. Alternatively, server-side sanitization can be implemented to strip or escape dangerous characters before they reach the rendering logic.