CVE-2024-32640: 
MasaCMS vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2024-32640) was discovered in Mura/Masa CMS affecting versions 7.2, 7.3, and 7.4. The vulnerability exists in the processAsyncObject API method, allowing a remote authenticated attacker to achieve SQL injection through the contenthistid parameter (ProjectDiscovery Blog, Seebug).

The vulnerability exists in the JSON API's processAsyncObject method where the ContentHistID parameter is not properly sanitized in SQL queries. The exploitation requires setting the previewID parameter to trigger the isOnDisplay property. The attack can be executed by sending a specially crafted request to '/_api/json/v1/default/?method=processAsyncObject&object=displayregion&contenthistid=x%5c'&previewID=x' endpoint (ProjectDiscovery Blog).

Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data and potentially remote code execution. In a proof-of-concept demonstration, researchers were able to reset admin passwords, obtain reset tokens, and achieve RCE through plugin installation capabilities (ProjectDiscovery Blog).

Users are advised to update to the patched versions immediately: Masa CMS version 7.4.6, 7.3.13, or 7.2.8. These versions include security patches for this vulnerability and other critical issues (MasaCMS Release).

Apple, which was affected by this vulnerability, responded swiftly and implemented a fix within 2 hours of the initial report. The Masa CMS team was transparent about the issue and released patched versions promptly. However, the Mura CMS team did not respond to multiple attempts at communication regarding these vulnerabilities (ProjectDiscovery Blog).