Skip to main content

MuraCMS CVE-2025-55043

| EUVDEUVD-2025-208831 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-18 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 16:15 euvd
EUVD-2025-208831
Analysis Generated
Mar 18, 2026 - 16:15 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create and save site bundles containing sensitive data to publicly accessible directories. This vulnerability enables complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content without administrator knowledge. This CSRF vulnerability enables complete data exfiltration from MuraCMS installations without requiring authentication. Attackers can force administrators to unknowingly create site bundles containing sensitive data, which are saved to publicly accessible web directories. The attack executes silently, leaving administrators unaware that confidential information has been compromised and is available for unauthorized download.

AnalysisAI

MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators into unknowingly creating and exporting site bundles containing complete sensitive data to publicly accessible web directories. Affected administrators have no knowledge the attack occurred, enabling complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content. While no CVSS score or EPSS probability is available and KEV status is unknown, the vulnerability's silent nature combined with its ability to compromise all site data without authentication represents a critical confidentiality and integrity risk.

Technical ContextAI

This vulnerability exploits the lack of CSRF token validation in MuraCMS's bundle export functionality, specifically the createBundle method within the csettings.cfc ColdFusion component. MuraCMS is a content management system built on ColdFusion/CFML, and the vulnerability exists in versions through 10.1.10 as indicated by the release notes reference (version 10.1.4 mentioned in documentation suggests patches may exist in later versions). The root cause is CWE-352 (Cross-Site Request Forgery - CSRF), where administrative actions that export sensitive data lack proper origin validation, state tokens, or request authentication. When an administrator visits a malicious webpage while maintaining an active MuraCMS session, attacker-controlled JavaScript can trigger the bundle creation endpoint without the administrator's knowledge, causing the CMS to serialize and export all site data to the web-accessible directory where MuraCMS stores exported bundles.

RemediationAI

Upgrade MuraCMS to a patched version immediately (refer to vendor release notes at https://docs.murasoftware.com/v10/release-notes/ for the first patched version after 10.1.10). As an interim mitigation before patching is possible, implement CSRF token validation at the web application firewall or reverse proxy level by enforcing that bundle export requests originate from same-origin contexts only (validate Origin and Referer headers), restrict direct web access to bundle export directories using .htaccess or web server configuration to allow only authenticated users, enforce secure session management with SameSite=Strict cookie flags, and educate administrators to immediately review exported bundles in their web-accessible directories for unauthorized exports. Additionally, implement network segmentation to restrict admin access to MuraCMS from specific IP ranges and consider disabling bundle export functionality via ColdFusion component protection until patching completes.

Share

CVE-2025-55043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy