Researchers from ProjectDiscovery discovered a critical SQL injection vulnerability in Apple's Book Travel portal, which was exploitable to achieve Remote Code Execution (RCE). The flaw originated from unsafe handling of user inputs in the Masa/Mura CMS JSON API, bypassing standard sanitization measures.
Background
The vulnerability affects Apple's internal travel booking system powered by Lucee and Masa/Mura CMS, highlighting risks in enterprise content management systems. This disclosure underscores the importance of rigorous code auditing for third-party integrations in large tech organizations.
- Source
- Lobsters
- Published
- Jul 12, 2026 at 06:50 PM
- Score
- 9.0 / 10