Saturday, January 28, 2023

Preliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)

Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html


This is a preliminary security advisory, and is being shared so that impacted organizations can update and patch as needed.  Additional technical details will be released on March 6, 2023.

Background:

Mura CMS is a popular content management system written in ColdFusion/CFML. While it was originally a commercial open source product, it was re-licensed as a closed source application with the release of Mura CMS v10 in 2020.  There are forked open source projects based on the last open source release of Mura CMS, including Masa CMS - which is actively maintained.

Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an  unauthenticated attacker to login as any Site Member or System User.


The following CVEs have been assigned for this vulnerability:


CVE: CVE-2022-47003

Description:  Authentication Bypass Vulnerability in Mura CMS

Impact:  An unauthenticated attacker is able to login as any Mura Site Member or Mura System User

 Fixed Version(s): Mura CMS v10.0.580 and later


CVE: CVE-2022-47002

Description:  Authentication Bypass Vulnerability in Masa CMS

Impact:  An unauthenticated attacker is able to login as any Masa Site Member or Masa System User

Fixed Version(s): Masa CMS v7.2.5, Masa CMS v7.3.10, Masa v7.4.0-beta.3 and later


Recommendations:

  • Current Mura Software customers should upgrade to a fixed version of Mura CMS
  • Sites running older, unmaintained versions of Mura CMS should plan to migrate to a fixed version of Masa CMS or contact Mura Software regarding patch availability.
  • Sites running Masa CMS should upgrade to a fixed version of Masa CMS


Additional References:

Mura CMS:


Masa CMS:


No comments:

Post a Comment