CVE-2025-55046

| EUVD-2025-208834 HIGH
2026-03-18 mitre
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 16:15 euvd
EUVD-2025-208834
Analysis Generated
Mar 18, 2026 - 16:15 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
HIGH 8.1

Tags

CSRF

Description

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.

Analysis

MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cTrash.empty function that lacks proper token validation, allowing attackers to permanently delete all content in the trash system. An authenticated administrator visiting a malicious webpage can be tricked into permanently destroying all deleted content without their knowledge or consent, resulting in catastrophic, irreversible data loss. While no CVSS score or EPSS data is currently available, the vulnerability's attack vector is network-based with low complexity, affecting any authenticated administrator, and the technical impact of complete data destruction in the trash system constitutes a critical business continuity threat.

Technical Context

The vulnerability exists in MuraCMS, a content management system, specifically within the cTrash.empty function which handles deletion of trashed content. The root cause is a missing CSRF token validation mechanism (CWE-352: Cross-Site Request Forgery), a common web application flaw where state-changing operations lack proper origin verification. When an administrator is authenticated to the MuraCMS system, their browser maintains an active session. An attacker can craft a malicious webpage containing a hidden form or JavaScript that automatically submits a request to the trash emptying endpoint. Without CSRF token validation, the server accepts the forged request as legitimate because it originates from an authenticated user's browser session, regardless of whether the user actually intended to perform the action. The affected products include MuraCMS through version 10.1.10, as indicated by the vendor documentation reference to version 10.1.4 release notes.

Affected Products

MuraCMS through version 10.1.10 is affected by this CSRF vulnerability. The vendor documentation is available at https://docs.murasoftware.com/v10/release-notes/#section-version-1014 and the vendor homepage is https://www.murasoftware.com. While the specific CPE string in the intelligence data shows incomplete vendor and product identification (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*), the vulnerability applies to all MuraCMS installations up to and including version 10.1.10. Administrators should verify their current MuraCMS version and determine if they are running version 10.1.10 or earlier, as any version in this range is vulnerable to the CSRF trash emptying attack.

Remediation

Immediately upgrade MuraCMS to a version later than 10.1.10 that includes CSRF token validation fixes in the cTrash.empty function; consult https://www.murasoftware.com and https://docs.murasoftware.com/v10/release-notes/#section-version-1014 for the latest patched release. Until patching is possible, implement compensating controls by restricting administrative backend access to specific IP ranges or through a VPN, enforcing Content Security Policy (CSP) headers to prevent loading of external malicious content, and implementing SameSite cookie attributes set to 'Strict' to prevent cross-site cookie transmission. Additionally, educate administrators about phishing risks and malicious webpage visits, and consider implementing administrative user activity logging and monitoring for trash.empty function calls to detect exploitation attempts. If available, apply any interim security patches released by Mura Software before a full version upgrade can be executed.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Share

CVE-2025-55046 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy