{"id":"CVE-2024-32641","summary":"Masa CMS Vulnerable to Pre-Auth RCE via JSON API","details":"Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.","aliases":["GHSA-cj9g-v5mq-qrjm"],"modified":"2026-04-02T10:50:47.908300Z","published":"2025-12-03T16:26:00.795Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32641.json","cwe_ids":["CWE-94"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32641.json"},{"type":"ADVISORY","url":"https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32641"},{"type":"FIX","url":"https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/masacms/masacms","events":[{"introduced":"53d53e7c120068ce1102215805238ab19027fb58"},{"fixed":"fb10af6238e3e2e9aae8afce933ca6407d092fde"}],"database_specific":{"versions":[{"introduced":"7.4.0"},{"fixed":"7.4.6"}]}},{"type":"GIT","repo":"https://github.com/masacms/masacms","events":[{"introduced":"0"},{"fixed":"2ebf767d40d04562417a0e0442d1c1988078a3c6"},{"fixed":"98222fa3679fde99e92c2c8c721e8040426e41f6"}],"database_specific":{"versions":[{"introduced":"7.3.0"},{"fixed":"7.3.13"},{"introduced":"0"},{"fixed":"7.2.8"}]}}],"versions":["5.5","6.1.6029","6.2.6161","6.2.6527","7.0.6919","7.0.6930","7.0.6967","7.0.7029","7.1.100","7.1.101","7.1.102","7.1.103","7.1.104","7.1.105","7.1.106","7.1.107","7.1.108","7.1.109","7.1.110","7.1.111","7.1.112","7.1.113","7.1.114","7.1.115","7.1.116","7.1.117","7.1.118","7.1.119","7.1.120","7.1.121","7.1.122","7.1.123","7.1.124","7.1.125","7.1.126","7.1.127","7.1.128","7.1.129","7.1.130","7.1.131","7.1.132","7.1.133","7.1.134","7.1.135","7.1.136","7.1.137","7.1.138","7.1.139","7.1.140","7.1.142","7.1.143","7.1.144","7.1.145","7.1.146","7.1.147","7.1.148","7.1.149","7.1.150","7.1.151","7.1.152","7.1.153","7.1.154","7.1.155","7.1.156","7.1.157","7.1.158","7.1.159","7.1.160","7.1.161","7.1.162","7.1.163","7.1.164","7.1.165","7.1.166","7.1.167","7.1.168","7.1.169","7.1.170","7.1.171","7.1.172","7.1.173","7.1.174","7.1.175","7.1.176","7.1.177","7.1.178","7.1.179","7.1.180","7.1.181","7.1.182","7.1.183","7.1.184","7.1.185","7.1.186","7.1.187","7.1.188","7.1.189","7.1.190","7.1.191","7.1.192","7.1.193","7.1.194","7.1.195","7.1.196","7.1.197","7.1.198","7.1.199","7.1.200","7.1.201","7.1.202","7.1.203","7.1.204","7.1.205","7.1.206","7.1.207","7.1.208","7.1.209","7.1.210","7.1.211","7.1.212","7.1.213","7.1.214","7.1.215","7.1.216","7.1.217","7.1.218","7.1.219","7.1.220","7.1.221","7.1.222","7.1.223","7.1.224","7.1.225","7.1.226","7.1.227","7.1.228","7.1.229","7.1.230","7.1.231","7.1.232","7.1.233","7.1.234","7.1.235","7.1.236","7.1.237","7.1.238","7.1.239","7.1.240","7.1.241","7.1.242","7.1.243","7.1.244","7.1.245","7.1.246","7.1.247","7.1.248","7.1.249","7.1.250","7.1.251","7.1.252","7.1.253","7.1.254","7.1.255","7.1.256","7.1.257","7.1.258","7.1.259","7.1.260","7.1.261","7.1.262","7.1.263","7.1.264","7.1.265","7.1.266","7.1.267","7.1.268","7.1.269","7.1.271","7.1.272","7.1.273","7.1.274","7.1.275","7.1.276","7.1.278","7.1.279","7.1.280","7.1.281","7.1.282","7.1.283","7.1.284","7.1.285","7.1.286","7.1.287","7.1.288","7.1.289","7.1.290","7.1.291","7.1.292","7.1.293","7.1.294","7.1.295","7.1.296","7.1.297","7.1.298","7.1.299","7.1.300","7.1.301","7.1.302","7.1.303","7.1.304","7.1.305","7.1.306","7.1.307","7.1.308","7.1.309","7.1.310","7.1.311","7.1.312","7.1.313","7.1.315","7.1.316","7.1.317","7.1.318","7.1.319","7.1.320","7.1.321","7.1.322","7.1.323","7.1.324","7.1.325","7.1.326","7.1.327","7.1.328","7.1.329","7.1.330","7.1.331","7.1.332","7.1.333","7.1.334","7.1.335","7.1.336","7.1.337","7.1.338","7.1.339","7.1.340","7.1.341","7.1.342","7.1.343","7.1.344","7.1.345","7.1.346","7.1.347","7.1.348","7.1.349","7.1.350","7.1.351","7.1.352","7.1.353","7.1.354","7.1.355","7.1.356","7.1.357","7.1.358","7.1.359","7.1.360","7.1.361","7.1.362","7.1.363","7.1.364","7.1.365","7.1.366","7.1.367","7.1.368","7.1.369","7.1.370","7.1.371","7.1.372","7.1.373","7.1.374","7.1.375","7.1.376","7.1.377","7.1.378","7.1.379","7.1.380","7.1.381","7.1.382","7.1.383","7.1.384","7.1.385","7.1.386","7.1.387","7.1.389","7.1.390","7.1.391","7.1.392","7.1.393","7.1.394","7.1.395","7.1.396","7.1.397","7.1.398","7.1.399","7.1.401","7.1.402","7.1.403","7.1.404","7.1.405","7.1.406","7.1.407","7.1.408","7.1.409","7.1.410","7.1.411","7.1.412","7.1.413","7.1.414","7.1.415","7.1.416","7.1.417","7.1.418","7.1.419","7.1.420","7.1.421","7.1.422","7.1.423","7.1.424","7.1.425","7.1.426","7.1.427","7.1.428","7.1.429","7.1.430","7.1.431","7.1.432","7.1.433","7.1.434","7.1.435","7.1.436","7.1.437","7.1.438","7.1.439","7.1.440","7.1.441","7.1.442","7.1.443","7.1.444","7.1.445","7.1.446","7.1.447","7.1.448","7.1.449","7.1.450","7.1.451","7.1.452","7.1.454","7.1.455","7.1.456","7.1.457","7.1.458","7.1.459","7.1.460","7.1.461","7.1.462","7.1.463","7.1.464","7.1.465","7.1.466","7.1.467","7.1.468","7.1.469","7.1.470","7.1.471","7.1.472","7.1.473","7.1.474","7.1.475","7.1.476","7.1.477","7.1.478","7.1.479","7.1.480","7.1.481","7.1.482","7.1.483","7.1.484","7.1.485","7.1.486","7.1.487","7.1.488","7.1.489","7.1.490","7.1.491","7.1.492","7.1.493","7.1.494","7.1.495","7.1.496","7.1.497","7.1.498","7.1.499","7.1.500","7.1.501","7.1.502","7.1.503","7.1.504","7.1.505","7.1.71","7.1.72","7.1.73","7.1.74","7.1.75","7.1.76","7.1.77","7.1.78","7.1.79","7.1.80","7.1.81","7.1.82","7.1.83","7.1.84","7.1.85","7.1.86","7.1.87","7.1.88","7.1.89","7.1.90","7.1.91","7.1.92","7.1.93","7.1.94","7.1.95","7.1.96","7.1.97","7.1.98","7.1.99","7.2.0","7.2.1","7.2.2","7.2.3","7.2.4","7.2.5","7.2.6","7.2.7","7.3","7.3.1","7.3.10","7.3.11","7.3.12","7.3.2","7.3.3","7.3.4","7.3.5","7.3.6","7.3.7","7.3.8","7.3.9","7.4.0","7.4.0-alpha.1","7.4.0-alpha.2","7.4.0-beta.1","7.4.0-beta.2","7.4.0-beta.3","7.4.1","7.4.2","7.4.3","7.4.4","7.4.5","7.4.6","7.4.7","7.4.8","7.4.9","7.5.0","7.5.1","7.5.2","v7.0.7029"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32641.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}