Blog

Critical Security Update for Mura CMS: Version 6.1 and Earlier

October 12, 2017

An independent researcher has found a significant security vulnerability in Mura CMS that affects all instances currently on or upgraded from core versions 6.1 and earlier.

Description

The vulnerability is related to a rarely-used feature of Mura CMS—the "draggable feeds" content object, which is powered by this single file: {mura root}/tasks/feed/readRSS.cfm

Since the vulnerability was discovered in versions of Mura that are no longer auto-updatable, you will need to manually patch your instances.  Fortunately, it is very easy to do.

Solution

Locate this file and delete it from the server:

{mura root}/tasks/feed/readRSS.cfm

That's it!

Questions?

If you have questions about this, please post them here: 

Please note, the "draggable feeds" feature was removed from Mura in version 6.2. However, the file will still be in place if the version has been updated from 6.1 or below, and should be deleted. This security patch does not apply to Mura instances which were originally installed at version 6.2 or higher.