CVE-2022-47003: 
Mura CMS vulnerability analysis and mitigation

A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request. The vulnerability, identified as CVE-2022-47003, was discovered in late 2022 and affects both Mura CMS and its open-source fork, Masa CMS. The flaw enables an unauthenticated attacker to login as any Site Member or System User (Security Blog).

The root cause is a conditional logic flaw in the Remember Me functionality. The vulnerability exists in the authentication mechanism where the Remember Me function creates a cookie with an encrypted value after a successful login. The flaw specifically lies in the logic that validates the userHash, where a zero-length arguments.userHash value can trigger successful authentication. The vulnerability received a CVSS3 score of 9.8, indicating its critical severity (Security Online).

An unauthenticated attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to any user account, including Site Member or System User accounts. This allows the attacker to make authenticated requests to any application page, action, or asset within the system (Security Blog).

Organizations running Mura CMS should upgrade to version 10.0.580 or later. For sites running older, unmaintained versions of Mura CMS, they should either migrate to a fixed version of Masa CMS or contact Mura Software regarding patch availability. A temporary fix involves modifying the conditional logic in loginManager.cfc to include additional validation checks (Security Blog).