CVE-2024-32641

CriticalPublic PoC

Published: 03 December 2025

Published

03 December 2025

Modified

05 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0156 81.6th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter.…

This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching Masa CMS to versions 7.2.8, 7.3.13, or 7.4.6 directly eliminates the improper input handling in addParam that enables remote code execution.

SI-10 Information Input Validation good match

prevent

Validating the criteria parameter with organization-defined tools and procedures prevents unsanitized user input from being evaluated by setDynamicContent, blocking arbitrary code execution via the m tag.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection via web application firewalls monitors and controls inbound traffic, blocking or alerting on malicious criteria payloads attempting code injection exploits.

Security SummaryAI

CVE-2024-32641 is a remote code execution vulnerability affecting Masa CMS, an open source Enterprise Content Management platform. Versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable due to improper handling of user input in the addParam function. Specifically, the criteria parameter accepts unsanitized input that is passed to setDynamicContent for evaluation, enabling arbitrary code execution through the m tag. The issue is classified under CWE-94 (Improper Control of Generation of Code) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious criteria parameter, the attacker triggers code evaluation in setDynamicContent, achieving full remote code execution on the server. This grants high confidentiality, integrity, and availability impacts, potentially allowing full system compromise.

The vulnerability is patched in Masa CMS versions 7.2.8, 7.3.13, and 7.4.6. Security practitioners should upgrade to these versions immediately. Additional details are available in the GitHub security advisory at https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm and the patching commit at https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6.

Details

CWE(s): CWE-94

Affected Products

masacms

≤ 7.2.8 · 7.3 — 7.3.13 · 7.4.0 — 7.4.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2024-32641 enables unauthenticated remote code execution in the public-facing Masa CMS web application via unsanitized input leading to code evaluation, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6
Patch · security-advisories@github.com
https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm
Exploit, Vendor Advisory · security-advisories@github.com