Mura and Masa CMS SQL Injection Vulnerability Allowing Remote Code Execution

A SQL injection vulnerability has been identified in Mura CMS and its fork, Masa CMS, in versions prior to 7.4.6, 7.3.13, and 7.2.8. The vulnerability resides in the 'processAsyncObject' method of the JSON API, where unsanitized input can be injected into SQL queries. This flaw can be exploited to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for SQL injection, which can be leveraged to execute arbitrary code on the server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/index.cfm/_api/json/v1/default/?method=processAsyncObject' endpoint. Include the 'object' parameter set to 'displayregion', the 'contenthistid' parameter with a crafted value that exploits the SQL injection, and the 'previewID' parameter to trigger the injection. This will cause the application to execute the injected SQL, leading to potential code execution.

Remediation

Users should update to Mura CMS versions 7.4.6, 7.3.13, or 7.2.8. For Masa CMS, the same versions apply.