Researcher details authentication bypass flaw (CVE-2022-47003) in Mura CMS

CVE-2022-47003

Mura CMS and its open-source fork, Masa CMS, are popular content management systems used by thousands of websites worldwide. Unfortunately, security researchers have recently detailed an authentication bypass vulnerability in both systems that can allow an unauthenticated attacker to log in as any Mura or Masa site member or system user.

The flaw lies in the “remember me” functionality of both systems, which is designed to create a cookie with an encrypted value after a successful login. This cookie is then validated later, and the user is automatically logged back in after their session has expired. However, due to a conditional logic flaw, an attacker can exploit this feature to bypass security restrictions and gain unauthorized access.

The vulnerability has been assigned two CVEs, CVE-2022-47003 for Mura CMS and CVE-2022-47002 for Masa CMS, with a CVSS3 score of 9.8 for both. The good news is that patches have been released to fix the issue in both systems, and users are strongly encouraged to upgrade to the latest fixed version as soon as possible.

The root cause of the authentication bypass vulnerability is a conditional logic flaw in the “remember me” functionality. While Mura userid values are randomly generated UUIDs, it’s not recommended to rely solely on UUIDs for authorization. However, attackers can still try to exploit the CVE-2022-47003 and CVE-2022-47002 vulnerability by automating requests to obtain valid UUIDs, which can then be used to send an authenticated request to any application page, action, or asset.

To prevent potential attacks, current Mura Software customers should upgrade to a fixed version of Mura CMS (Mura CMS v10.0.580 or later). Sites running older, unmaintained versions of Mura CMS should plan to migrate to a fixed version of Masa CMS or contact Mura Software regarding patch availability. For sites running Masa CMS, upgrading to a fixed version of Masa CMS is strongly recommended, as patches are readily available.