Description
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations.

An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint
Published: 2026-05-06
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Masa CMS versions 7.5.2 and earlier, the function that updates user address information fails to validate cross‑site request forgery (CSRF) tokens. An attacker who can coerce a logged‑in administrator into submitting a forged HTTP request can add, modify, or delete addresses, phone numbers, and e‑mail addresses. This direct manipulation of user data can change contact information, redirect communications, and corrupt the user directory. The flaw is a classic CSRF weakness and is classified as CWE‑352.

Affected Systems

The vulnerability affects the MasaCMS product only. All releases up to and including version 7.5.2 are impacted; the bug was fixed in 7.2.10, 7.3.15, 7.4.10 and 7.5.3. Users should verify they are running a supported, patched release.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, but the EPSS score is not available, so the current likelihood of exploitation is unknown. The vulnerability is not listed in CISA’s KEV catalog. Relying on the official advisory, the attack requires the victim to be authenticated to the administrative backend and then be tricked into submitting a forged request. An attacker can craft a malicious link or form to trigger the unauthenticated operation. The lack of token validation makes the exploit straightforward for an attacker with social engineering capability or a compromised host.

Generated by OpenCVE AI on May 6, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Masa CMS to version 7.5.3 or later, or otherwise to 7.2.10, 7.3.15, or 7.4.10 where the CSRF check is fixed.
  • Restrict access to the administrative backend so that only trusted accounts can reach user‑address management endpoints.
  • Employ browser isolation for administrative sessions to prevent cross‑site requests from affecting authenticated users.
  • Configure Web Application Firewall or other filtering rules to block forged requests that target the affected endpoint.

Generated by OpenCVE AI on May 6, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Masacms
Masacms masacms
Vendors & Products Masacms
Masacms masacms

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint
Title Masa CMS CSRF in user address management allows unauthorized address changes
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Masacms Masacms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T19:40:23.973Z

Reserved: 2026-04-09T20:59:17.618Z

Link: CVE-2026-40174

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-06T20:16:31.997

Modified: 2026-05-06T21:22:50.760

Link: CVE-2026-40174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:30:13Z

Weaknesses