Update March 6, 2023 – the full security advisory has been released here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html

This is a preliminary security advisory, and is being shared so that impacted organizations can update and patch as needed.  Additional technical details will be released on March 6, 2023.

Background:

Mura CMS is a popular content management system written in ColdFusion. (But since you’re reading this on the Adobe ColdFusion Blogs site, you probably already knew that.)  While Mura CMS was originally a commercial open source product, it was re-licensed as a closed source application with the release of Mura CMS v10 in 2020.  There are forked open source projects based on the last open source release of Mura CMS, including Masa CMS – which is actively maintained.

Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an  unauthenticated attacker to login as any Site Member or System User.  Patches and updated releases are available, and sites running impacted versions should refer to the Recommendations section below.  The following CVEs have been reserved for these vulnerabilities:

CVE: CVE-2022-47003
Description:  Authentication Bypass Vulnerability in Mura CMS
Impact:  An unauthenticated attacker is able to login as any Mura Site Member or Mura System User
Fixed Version(s): Mura CMS v10.0.580 and later

CVE: CVE-2022-47002
Description:  Authentication Bypass Vulnerability in Masa CMS
Impact:  An unauthenticated attacker is able to login as any Masa Site Member or Masa System User
Fixed Version(s): Masa CMS v7.2.5, Masa CMS v7.3.10, Masa v7.4.0-beta.3 and later

Recommendations:

• Current Mura Software customers should upgrade to a fixed version of Mura CMS
• Sites running older, unmaintained versions of Mura CMS should plan to migrate to a fixed version of Masa CMS or contact Mura Software regarding patch availability.
• Sites running Masa CMS should upgrade to a fixed version of Masa CMS

Additional References:

Mura CMS:

• https://groups.google.com/g/mura-cms-developers/c/MpjNlYcs1MI
• https://groups.google.com/g/mura-cms-developers/c/aZzYSPQNbi4

Masa CMS:

• https://github.com/MasaCMS/MasaCMS/releases/tag/7.2.5
• https://github.com/MasaCMS/MasaCMS/releases/tag/7.3.10
• https://github.com/MasaCMS/MasaCMS/releases/tag/7.4.0-beta.3

A copy of this blog post is available here: https://hoyahaxa.blogspot.com/2023/01/preliminary-security-advisory.html. For more ColdFusion security content, check out Brian’s other blog posts at https://hoyahaxa.blogspot.com/search/label/coldfusion