Two security flaws have been discovered for all versions of Mura CMS older than version 7.0.6852. We strongly encourage all Mura CMS administrators to update their Mura CMS core to the latest version, or to replace the two files that contain the vulnerabilities. You can do so by following these steps:
1. Login to the Mura admin with an account that has super user rights.
2. Once logged in, go to "Global Settings, and click "Update Mura Core".
Updating your Mura CMS to the latest release will fully eliminate this vulnerability.
If you are not able to use the Mura CMS auto-updater or you are not ready to perform a full Mura CMS upgrade, you can manually apply the patch by updating two files in your Mura CMS instance.
Mura 7.x sites should use this file: https://github.com/blueriver/MuraCMS/blob/master/admin/Application.cfc
Mura 6.2 sites should use this file: https://github.com/blueriver/MuraCMS/blob/6.2/admin/Application.cfc
Mura 6.1 sites should use this file: https://github.com/blueriver/MuraCMS/blob/6.1/admin/Application.cfc
Mura 6.0 sites should use this file: https://github.com/blueriver/MuraCMS/blob/6.0/admin/Application.cfc
Mura 5.x sites should use this file: https://github.com/blueriver/MuraCMS/blob/5.x/admin/Application.cfc
Mura 7.x sites should use this file: https://github.com/blueriver/MuraCMS/blob/master/requirements/mura/configBean.cfc
Mura 6.2 sites should use this file: https://github.com/blueriver/MuraCMS/blob/6.2/requirements/mura/configBean.cfc
An independent security researcher has reported these vulnerabilities to Beyond Security's SecuriTeam Secure Disclosure program, who passed along the information to us.
If you have questions about this, please post them in the Mura channel in the CFML Slack team or in the Mura Developers Google Group