Masa CMS SQL Injection Vulnerability in beanFeed Component Allowing Database Manipulation and Potential Remote Code Execution

A critical SQL injection vulnerability has been identified in Masa CMS versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2. The vulnerability resides in the beanFeed.cfc component, specifically within the getQuery function, where the sortDirection parameter is improperly handled. The parameter value is directly concatenated into SQL queries without adequate sanitization or parameterization. This flaw allows unauthenticated remote attackers to exploit the vulnerability to extract sensitive database information, modify or delete database records, or potentially execute remote code on the underlying database server.

Impact

Exploitation of this vulnerability allows for critical SQL injection, enabling attackers to manipulate database queries. This could lead to unauthorized data access, modification or deletion of database records, and in some cases, remote code execution on the database server.

Remediation

Users are advised to upgrade to Masa CMS versions 7.2.10, 7.3.15, 7.4.10, or 7.5.3. If an immediate upgrade is not possible, access to the beanFeed.cfc component can be blocked or restricted using a Web Application Firewall (WAF) or through web server configuration. Additionally, WAF rules can be deployed to detect and block SQL injection patterns targeting the sortDirection parameter.