Masa CMS Cross-Site Request Forgery Vulnerability in User Address Management

A cross-site request forgery (CSRF) vulnerability has been identified in Masa CMS versions through 7.5.2, specifically within the user address management feature. The issue arises because the 'cUsers.updateAddress' function does not adequately validate anti-CSRF tokens, allowing attackers to manipulate user address records. This could include adding, modifying, or deleting information such as email addresses and phone numbers. Exploitation of this vulnerability could disrupt organizational communications and corrupt address data in the user directory.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of user address records, including contact information. This could disrupt organizational communications, inject malicious data into the system, and corrupt the internal user directory.

Remediation

Users are advised to upgrade to Masa CMS versions 7.2.10, 7.3.15, 7.4.10, or 7.5.3. If an immediate upgrade is not possible, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint.