cbcvebase.
CVE-2022-47003
published 2023-02-01

CVE-2022-47003: A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request.

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.64%
88.2th percentile
A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request.

Affected

1 ranges
VendorProductVersion rangeFixed in
murasoftwaremura_cms< 10.0.58010.0.580

Detection & IOCsextracted from sources · hover to see the quote

url/index.cfm/_api/json/v1/{{siteid}}/content/?fields=lastupdatebyid
url/admin/?muraAction=cEditProfile.edit
cookieuserid={{uuid}}; userhash=
  • Detect exploitation attempts by monitoring HTTP GET requests to /index.cfm/_api/json/v1/*/content/ with the 'fields=lastupdatebyid' parameter, which is used to harvest a valid admin UUID for the bypass.
  • Detect authentication bypass attempts by monitoring requests to /admin/?muraAction=cEditProfile.edit that carry a 'userid' cookie with a UUID value but an empty 'userhash' cookie.
  • Shodan fingerprinting queries for exposed Mura CMS instances: search for 'Generator: Mura CMS' or 'generator: mura cms' in HTTP headers/body.
  • Extract the admin UUID from the JSON API response using the regex '"lastupdatebyid":"([A-F0-9-]+)"' — this UUID is then reused as the 'userid' cookie value to impersonate the admin.
  • Extract the Mura CMS site ID from the page body using the regex 'siteid:"(.*?)"' — this value is required to construct the API endpoint used in the attack chain.
  • ·The attack is a 3-step chain: (1) GET / to extract siteid, (2) query the JSON API with the siteid to harvest an admin UUID via 'lastupdatebyid', (3) send a crafted request to /admin/ with the UUID as the 'userid' cookie and an empty 'userhash' cookie to bypass authentication.
  • ·The vulnerability is in the 'Remember Me' function (CWE-863: Incorrect Authorization). The empty 'userhash' cookie combined with a valid 'userid' UUID is the core bypass mechanism.
  • ·The Nuclei template uses up to 2 redirects; detection logic must account for redirect chains when monitoring for this attack pattern.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.