EUVD-2025-208831CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create and save site bundles containing sensitive data to publicly accessible directories. This vulnerability enables complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content without administrator knowledge. This CSRF vulnerability enables complete data exfiltration from MuraCMS installations without requiring authentication. Attackers can force administrators to unknowingly create site bundles containing sensitive data, which are saved to publicly accessible web directories. The attack executes silently, leaving administrators unaware that confidential information has been compromised and is available for unauthorized download.
Analysis
MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators into unknowingly creating and exporting site bundles containing complete sensitive data to publicly accessible web directories. Affected administrators have no knowledge the attack occurred, enabling complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content. While no CVSS score or EPSS probability is available and KEV status is unknown, the vulnerability's silent nature combined with its ability to compromise all site data without authentication represents a critical confidentiality and integrity risk.
Technical Context
This vulnerability exploits the lack of CSRF token validation in MuraCMS's bundle export functionality, specifically the createBundle method within the csettings.cfc ColdFusion component. MuraCMS is a content management system built on ColdFusion/CFML, and the vulnerability exists in versions through 10.1.10 as indicated by the release notes reference (version 10.1.4 mentioned in documentation suggests patches may exist in later versions). The root cause is CWE-352 (Cross-Site Request Forgery - CSRF), where administrative actions that export sensitive data lack proper origin validation, state tokens, or request authentication. When an administrator visits a malicious webpage while maintaining an active MuraCMS session, attacker-controlled JavaScript can trigger the bundle creation endpoint without the administrator's knowledge, causing the CMS to serialize and export all site data to the web-accessible directory where MuraCMS stores exported bundles.
Affected Products
MuraCMS versions through 10.1.10 are affected by this vulnerability. The documentation references indicate that version 10.1.4 exists in the release notes, suggesting patch availability may exist in versions 10.1.4 or later, though the CVE description explicitly states vulnerability through 10.1.10. Administrators should consult the MuraCMS vendor advisory at https://www.murasoftware.com and review the version-specific release notes at https://docs.murasoftware.com/v10/release-notes/#section-version-1014 to determine exact patched versions. The affected product identifier is MuraCMS (vendor name and CPE details pending; the provided CPE shows n/a values indicating incomplete vendor classification).
Remediation
Upgrade MuraCMS to a patched version immediately (refer to vendor release notes at https://docs.murasoftware.com/v10/release-notes/ for the first patched version after 10.1.10). As an interim mitigation before patching is possible, implement CSRF token validation at the web application firewall or reverse proxy level by enforcing that bundle export requests originate from same-origin contexts only (validate Origin and Referer headers), restrict direct web access to bundle export directories using .htaccess or web server configuration to allow only authenticated users, enforce secure session management with SameSite=Strict cookie flags, and educate administrators to immediately review exported bundles in their web-accessible directories for unauthorized exports. Additionally, implement network segmentation to restrict admin access to MuraCMS from specific IP ranges and consider disabling bundle export functionality via ColdFusion component protection until patching completes.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today