Saturday, January 28, 2023

Preliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)

Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html


This is a preliminary security advisory, and is being shared so that impacted organizations can update and patch as needed.  Additional technical details will be released on March 6, 2023.

Background:

Mura CMS is a popular content management system written in ColdFusion/CFML. While it was originally a commercial open source product, it was re-licensed as a closed source application with the release of Mura CMS v10 in 2020.  There are forked open source projects based on the last open source release of Mura CMS, including Masa CMS - which is actively maintained.

Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an  unauthenticated attacker to login as any Site Member or System User.