Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html
This is a preliminary security advisory, and is being shared so that impacted organizations can update and patch as needed. Additional technical details will be released on March 6, 2023.
Background:
Mura CMS is a popular content management system written in ColdFusion/CFML. While it was originally a commercial open source product, it was re-licensed as a closed source application with the release of Mura CMS v10 in 2020. There are forked open source projects based on the last open source release of Mura CMS, including Masa CMS - which is actively maintained.
Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User.
The following CVEs have been assigned for this vulnerability:
CVE: CVE-2022-47003
Description: Authentication Bypass Vulnerability in Mura CMS
Impact: An unauthenticated attacker is able to login as any Mura Site Member or Mura System User
Fixed Version(s): Mura CMS v10.0.580 and later
CVE: CVE-2022-47002
Description: Authentication Bypass Vulnerability in Masa CMS
Impact: An unauthenticated attacker is able to login as any Masa Site Member or Masa System User
Fixed Version(s): Masa CMS v7.2.5, Masa CMS v7.3.10, Masa v7.4.0-beta.3 and later
Recommendations:
- Current Mura Software customers should upgrade to a fixed version of Mura CMS
- Sites running older, unmaintained versions of Mura CMS should plan to migrate to a fixed version of Masa CMS or contact Mura Software regarding patch availability.
- Sites running Masa CMS should upgrade to a fixed version of Masa CMS
Additional References:
Mura CMS:
- https://groups.google.com/g/mura-cms-developers/c/MpjNlYcs1MI
- https://groups.google.com/g/mura-cms-developers/c/aZzYSPQNbi4
Masa CMS:
- https://github.com/MasaCMS/MasaCMS/releases/tag/7.2.5
- https://github.com/MasaCMS/MasaCMS/releases/tag/7.3.10
- https://github.com/MasaCMS/MasaCMS/releases/tag/7.4.0-beta.3
No comments:
Post a Comment