CVE-2024-32643

Published: Dec 3, 2025Modified: Dec 5, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.

Affected (3)

Products: Masacms: Masacms

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Masacms Masacms	Before 7.2.8
Masacms Masacms	From 7.3 to 7.3.13
Masacms Masacms	From 7.4.0 to 7.4.6

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://github.com/MasaCMS/MasaCMS/commit/d1a2e57ef8dbc50c87b178eacc85fcccb05f5b6c

Source: security-advisories@github.com

Patch

https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-f469-jh82-97fv

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.