Masa CMS Cross-Site Request Forgery Vulnerability in Trash Management

A cross-site request forgery (CSRF) vulnerability has been identified in Masa CMS versions through 7.5.2, specifically within the trash management feature. The issue arises because the cTrash.empty function does not properly validate anti-CSRF tokens, allowing an attacker to trick a logged-in administrator into sending a request that empties the trash and permanently deletes all content. This exploitation can lead to significant data loss, as deleted items cannot be recovered through standard CMS tools. The vulnerability has been patched in Masa CMS versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3.

Impact

Exploitation of this vulnerability allows for the permanent deletion of all content in the trash, causing irreversible data loss and disrupting the recovery of items intended for restoration.

Remediation

Users are advised to upgrade to Masa CMS versions 7.2.10, 7.3.15, 7.4.10, or 7.5.3. If an immediate upgrade is not possible, administrators should log out of the CMS after completing tasks, use a dedicated browser for administration, configure Web Application Firewall rules to block suspicious requests to the cTrash.cfc endpoint, and maintain regular off-site database backups.