Masa CMS Unauthenticated SQL Injection Vulnerability in JSON API

A critical SQL injection vulnerability has been identified in Masa CMS versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2. The vulnerability exists in the unauthenticated JSON API, where the altTable parameter is accepted without proper validation or sanitization. This parameter is then injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can exploit this by passing arbitrary subqueries to read sensitive data from any database table in a single HTTP request, including administrative credentials and password reset tokens. This vulnerability could lead to a complete takeover of an admin account, and, according to the Masa CMS team, could allow for remote code execution by uploading malicious plugins after gaining administrative access.

Impact

Exploitation of this vulnerability allows for full database access, extraction of admin credentials or password reset tokens, and potential remote code execution by uploading malicious plugins after gaining administrative access.

Remediation

Users are advised to upgrade to Masa CMS versions 7.2.10, 7.3.15, 7.4.10, or 7.5.3. If an immediate upgrade is not possible, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names. Alternatively, configure Web Application Firewall (WAF) rules to block requests to the JSON API that contain SQL keywords in the altTable parameter, or disable the JSON API if it is not needed.