CVE-2024-32640
BaseFortify
Publication date: 2025-08-11
Last updated on: 2025-12-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| masa | cms | 7.3.13 |
| masa | cms | 7.4.6 |
| masa | cms | 7.2.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-32640 is a critical SQL injection vulnerability in the Mura/Masa CMS platform, specifically in the JSON API's processAsyncObject method when handling the displayregion object. The vulnerability arises because the ContentHistID parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL code. Exploiting this flaw enables attackers to extract sensitive data such as admin password reset tokens and user IDs, and ultimately achieve remote code execution (RCE) by uploading malicious files. The injection requires a crafted request that bypasses default escaping mechanisms and depends on certain conditions like the isOnDisplay property being true, which is set via a previewID parameter. [3, 6]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data stored in the CMS database, such as admin credentials and user identifiers. Attackers can leverage this access to reset admin passwords and upload malicious code, leading to full remote code execution on the server. This compromises the integrity, confidentiality, and availability of the affected system, potentially allowing attackers to control the CMS, manipulate content, steal data, or use the server as a foothold for further attacks. [1, 3, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted HTTP requests to the vulnerable JSON API endpoint of the Masa/Mura CMS. One method is to send a request to the endpoint: https://target.com/_api/json/v1/default/?method=processAsyncObject&object=displayregion&contenthistid=x%5c'&previewID=x where the "contenthistid" parameter includes a backslash-escaped single quote (%5c'). Detection can be automated using tools such as the Python PoC script from the GitHub repository "Stuub/CVE-2024-32640-SQLI-MuraCMS", which sends these crafted requests and checks for SQL injection vulnerability. Additionally, a Nuclei template (ID: CVE-2024-32640) can be used to send POST requests to the vulnerable endpoint and detect the vulnerability by checking for HTTP 500 status codes and specific error messages indicating unhandled exceptions. Reconnaissance can also be performed using search engine queries (dorks) to find Masa CMS instances, such as: - Shodan: `Generator: Masa CMS` - Google: `"powered by Mura CMS"` - FOFA: `app="Mura-CMS"` These methods help identify vulnerable targets before testing. [1, 3, 6]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Masa CMS to a fixed version. The vulnerability is patched in versions 7.4.6 (for 7.4), 7.3.13 (for 7.3), and 7.2.8 (for 7.2). Users should upgrade immediately by using the βUpdate Masa CMS Coreβ option in the administrator menu (for version 7.4) or by applying manual updates (for versions 7.2 and 7.3). The updates also disable features such as enableMuraTag, enableDynamicContent, and sharableRemoteSessions by default, along with other security improvements. Applying these updates will close the SQL injection vulnerability and reduce the attack surface. [2, 4, 5]