EUVD-2025-208832CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to restore deleted content from the trash to unauthorized locations through CSRF. The vulnerable cTrash.restore function lacks CSRF token validation, enabling malicious websites to forge requests that restore content to arbitrary parent locations when an authenticated administrator visits a crafted webpage. Successful exploitation of the Trash Restore CSRF vulnerability results in unauthorized restoration of deleted content to potentially inappropriate or malicious locations within the MuraCMS website structure. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that restores specified content from the trash to a location determined by the attacker through the parentid parameter. This can lead to restoration of previously deleted malicious content, placement of sensitive documents in public areas, manipulation of website navigation structure, or restoration of outdated content that was intentionally removed for security or compliance reasons.
Analysis
A Cross-Site Request Forgery (CSRF) vulnerability exists in the cTrash.restore function of MuraCMS through version 10.1.10, which lacks CSRF token validation. An authenticated administrator can be tricked into restoring deleted content to arbitrary locations within the CMS by visiting a malicious webpage, enabling attackers to resurrect malicious or sensitive content, manipulate website structure, or restore intentionally-removed materials. No CVSS score, EPSS data, or known exploits-in-the-wild confirmation are available at this time, though the vulnerability is documented as requiring user interaction (an admin must visit a crafted page) and authenticated session context.
Technical Context
The vulnerability resides in the cTrash.restore function within MuraCMS, a web content management system. The root cause is improper CSRF protection (CWE category: Cross-Site Request Forgery), specifically the absence of CSRF token validation on state-changing restore operations. When an administrator is authenticated to MuraCMS and visits an attacker-controlled webpage, that page can silently submit a hidden form to the vulnerable restore endpoint, leveraging the administrator's active session to authorize the restore action. The attacker manipulates the 'parentid' parameter to specify an unauthorized destination for restored content. MuraCMS is identified through the CPE namespace (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*), though vendor-specific CPE refinement is unavailable in current records. The vulnerability affects MuraCMS versions up to and including 10.1.10.
Affected Products
MuraCMS versions through 10.1.10 are affected. The vendor has published release notes at https://docs.murasoftware.com/v10/release-notes/ and https://docs.murasoftware.com/v10/release-notes/#section-version-1014, indicating that patched versions exist; reference the Mura Software website at https://www.murasoftware.com for current patch availability and version 10.1.11 or later is expected to remediate this issue. The CPE entry cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:* is non-specific; customers should consult the official Mura Software advisory to confirm their installed version.
Remediation
Upgrade MuraCMS to version 10.1.11 or later as soon as possible; consult https://docs.murasoftware.com/v10/release-notes/ for patched version availability and installation instructions. Until an upgrade window is available, apply the following compensating controls: enforce HTTPS with HSTS headers to prevent man-in-the-middle interception of session tokens, implement Content Security Policy (CSP) headers to restrict cross-origin form submissions, educate administrators to avoid clicking links from untrusted sources while logged into the CMS, and consider restricting CMS access to a allowlist of trusted IP ranges using a reverse proxy or WAF. Verify that CSRF token generation and validation are enabled for all state-changing functions once patched.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today