CVE-2021-42183: 
MasaCMS vulnerability analysis and mitigation

MasaCMS 7.2.1 contains a path traversal vulnerability in the /index.cfm/_api/asset/image/ endpoint. The vulnerability was discovered in 2021 and assigned identifier CVE-2021-42183 (CVE Details, MITRE).

The vulnerability exists in the file handling functionality of MasaCMS, specifically in the /index.cfm/_api/asset/image/ endpoint. The issue allows attackers to traverse directory paths using the filePath parameter. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows unauthorized access to files outside the intended directory structure. An attacker can potentially read sensitive configuration files and system information through path traversal, including accessing the Application.cfc file and configuration settings (GitHub POC).

The vulnerability affects MasaCMS version 7.2.1. Users should upgrade to a patched version of the software. The issue was identified in the fileManager.cfc component (MasaCMS Source).