CVE-2025-67830

| EUVD-2025-208838 CRITICAL
2026-03-18 mitre
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 17:00 euvd
EUVD-2025-208838
Analysis Generated
Mar 18, 2026 - 17:00 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
CRITICAL 9.8

Tags

SQLi

Description

Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection.

Analysis

A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS before version 10.1.14, specifically in the getQuery function's sortby parameter. An attacker can inject arbitrary SQL commands through the sortby parameter to extract, modify, or delete database contents. The vulnerability affects Mura CMS installations running versions prior to 10.1.14.

Technical Context

Mura CMS is a content management system built on ColdFusion/CFML that provides content management and publishing capabilities. The beanFeed.cfc component is a ColdFusion component responsible for handling feed-related database queries. The getQuery function constructs SQL queries using user-supplied input from the sortby parameter without proper sanitization or parameterized query preparation. This violates secure coding practices for ColdFusion/CFML applications, where parameterized queries (cfqueryparam) or input validation should be mandatory for dynamic SQL construction. The root cause is improper input validation and lack of query parameterization in the sortby sorting mechanism.

Affected Products

Mura CMS versions prior to 10.1.14 are affected, as confirmed by the CVE description and vendor release notes. The vulnerability impacts all installations running Mura before version 10.1.14. Specific CPE data shows the affected product scope as cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* (incomplete metadata in public records). Detailed affected versions and configurations should be cross-referenced with Mura's official documentation at https://docs.murasoftware.com/v10/release-notes/#section-version-1014.

Remediation

Immediately upgrade Mura CMS to version 10.1.14 or later to receive the patch that addresses the SQL injection flaw in beanFeed.cfc. Consult the official Mura release notes at https://docs.murasoftware.com/v10/release-notes/#section-version-1014 for upgrade instructions and any breaking changes. As interim mitigation before patching is possible, restrict network access to the Mura CMS application using a web application firewall (WAF) with SQL injection detection rules, implement input validation on the sortby parameter at the application or reverse proxy level, and disable or restrict access to beanFeed.cfc endpoints if they are not required for production use. Review database user permissions to ensure the ColdFusion application account has minimal necessary privileges to limit the blast radius of successful injection.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Share

CVE-2025-67830 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy