Mura CMS was a popular open-source content management system (CMS) written in ColdFusion. While initially an open-source project maintained by blueriver.com, it was re-licensed as a closed-source cloud application with the release of Mura CMS v10 in 2020. There are forked open-source projects based on the last open-source release of Mura CMS 7.1, including Masa CMS – which is currently maintained at v7.4.
Mura CMS 7.x and Masa CMS versions v7.4.0-beta and earlier contain an authentication bypass vulnerability allowing an unauthenticated attacker to log in as any site member or system user. There is a conditional logic flaw in the “remember me” code. Simply, some well-formed steps can send arguments.userHash
variable with no value, creating a true
value when looking to see if arguments.userHash
is empty or arguments.userHash
equals the user’s hash. This is accomplished by passing an empty userHash
cookie value if using Lucee, or passing in a single irrelevant character if Adobe ColdFusion.
For this article, I am only focusing on the open-source version. Mura CMS 10 has a different CVE (2022-47003). The Common Vulnerabilities and Exposures (CVE) database defined this vulnerability:
CVE-2022-47002 – Authentication Bypass Vulnerability in Masa CMS (Base Score: 9.8 CRITICAL)
A vulnerability in the Remember Me function of Masa CMS v7.2, 7.3, and 7.4-beta allows attackers to bypass authentication via a crafted web request.
Fixed Version(s): Masa CMS v7.2.5, Masa CMS v7.3.10, Masa v7.4.0-beta.3 and later