cbcvebase.
CVE-2024-32641
published 2025-12-03

CVE-2024-32641: Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.65%
95.2th percentile
Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.

Affected

5 ranges
VendorProductVersion rangeFixed in
masacmsmasacms< 7.2.87.2.8
masacmsmasacms
masacmsmasacms
masacmsmasacms>= 7.3 < 7.3.137.3.13
masacmsmasacms>= 7.4.0 < 7.4.67.4.6

Detection & IOCsextracted from sources · hover to see the quote

url/index.cfm/_api/json/v1/default/?
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MasaCMS m Tag Pre-Auth RCE via JSON API (CVE-2024-32641)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.cfm/_api/json/v1/default/?"; fast_pattern; pcre:"/^.*(?:%5[bB]|\x5b)m(?:%5[dD]|\x5d).*(?:%5[bB]|\x5b)\x2fm(?:%5[dD]|\x5d)/R"; reference:url,github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm; reference:cve,2024-32641; classtype:attempted-admin; sid:2065999; rev:1;)
  • Exploit requests use HTTP GET to the JSON API endpoint /index.cfm/_api/json/v1/default/? with URL-encoded or literal square-bracket `[m]` and `/[m]` patterns in the URI, corresponding to the malicious `m` tag injection.
  • The vulnerability is exploitable pre-authentication; no session or credentials are required. Monitor for unauthenticated GET requests to the JSON API endpoint containing `[m]` / `[/m]` tag patterns.
  • The attack vector is the `criteria` query parameter passed to `addParam`, which is then evaluated by `setDynamicContent`. Look for unusual or code-like values in the `criteria` parameter on requests to the JSON API.
  • MITRE mapping: TA0001 Initial Access / T1190 Exploit Public-Facing Application. Correlate web server logs for exploitation attempts against internet-exposed Masa CMS instances.
  • ·The Snort/ET rule (sid:2065999) matches only plaintext HTTP traffic (`tls_state plaintext`). Exploitation over HTTPS will not be detected by this rule without TLS inspection.
  • ·Patched versions are 7.2.8, 7.3.13, and 7.4.6. Versions prior to these are vulnerable. Ensure the running version is confirmed before relying solely on detection.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.