Masa CMS Cross-Site Request Forgery Vulnerability in Site Bundle Creation

A cross-site request forgery (CSRF) vulnerability has been identified in Masa CMS versions through 7.5.2. The issue arises in the 'csettings.cfc' component, where the 'createBundle' method fails to properly validate anti-CSRF tokens for site bundle creation requests. This flaw allows an attacker to craft a malicious webpage or link that, when accessed by a logged-in administrator, silently generates a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible directory. An unauthenticated attacker can then retrieve the bundle, gaining access to site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. The vulnerability has been patched in Masa CMS versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3.

Impact

Exploitation of this vulnerability allows for the unauthorized creation of site bundles, which can be accessed by unauthenticated attackers. This leads to the exfiltration of complete site data, including user accounts, password hashes, form submissions, email lists, plugins, and all site content. Additionally, sensitive configuration data is exposed, and the silent nature of the exploitation allows for undetected reconnaissance on the affected site.

Remediation

Users are advised to upgrade to Masa CMS versions 7.2.10, 7.3.15, 7.4.10, or 7.5.3. If an immediate upgrade is not possible, remove unexpected bundle files from public directories, restrict access to the 'csettings.cfc' endpoint, and ensure administrators log out of the CMS when not in use.