Skip to main content

MuraCMS EUVDEUVD-2025-208833

| CVE-2025-55045 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-18 mitre
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 16:15 euvd
EUVD-2025-208833
Analysis Generated
Mar 18, 2026 - 16:15 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
HIGH 7.1

DescriptionCVE.org

The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the MuraCMS system, potentially compromising user data integrity and organizational communications. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that can add malicious addresses with attacker-controlled email addresses and phone numbers, update existing addresses to redirect communications to attacker-controlled locations or deleted legitimate address records to disrupt business operations. This can lead to misdirected sensitive communications, compromise of user privacy through injection of attacker contact information, disruption of legitimate business correspondence, and potential social engineering attacks via the corrupted address data.

AnalysisAI

A Cross-Site Request Forgery (CSRF) vulnerability exists in MuraCMS through version 10.1.10 affecting the cUsers.updateAddress function, which lacks proper CSRF token validation. Attackers can exploit this by crafting malicious webpages that, when visited by an authenticated administrator, automatically submit hidden forms to add, modify, or delete user address records without the administrator's knowledge or consent. Successful exploitation enables unauthorized manipulation of user address data, potentially redirecting sensitive communications to attacker-controlled addresses, compromising user privacy, and disrupting legitimate business operations through injection of malicious contact information.

Technical ContextAI

The vulnerability resides in MuraCMS's address management functionality, specifically the cUsers.updateAddress function which handles CRUD operations on user address records within the content management system. The root cause is classified as CWE (Cross-Site Request Forgery) — a failure to implement anti-CSRF tokens or validation mechanisms in the address update endpoint. CSRF vulnerabilities occur when a web application does not verify that requests originating from a user's browser session are intentional; an attacker can craft HTML forms or JavaScript that automatically submit requests to the vulnerable endpoint using the victim's existing authenticated session cookies. MuraCMS versions up to 10.1.10 lack proper token-based request validation, allowing forged requests to be processed as if they were legitimate administrator actions. This affects all installations where administrators may visit untrusted webpages while authenticated to the MuraCMS admin panel.

RemediationAI

Upgrade MuraCMS to a patched version released after 10.1.10 as documented in the Mura Software release notes at https://docs.murasoftware.com/v10/release-notes/. The vendor has released security fixes addressing CSRF token validation in the updateAddress function; verify the specific patch version requirement in your deployment environment. As an interim mitigation pending patch deployment, restrict administrator access to the MuraCMS admin panel via IP whitelisting or VPN enforcement to reduce the attack surface for social engineering-based CSRF attacks. Additionally, implement Security-aware training for administrators to avoid visiting untrusted webpages while authenticated, and consider deploying browser-based CSRF protections such as SameSite cookie policies (if configurable via application or reverse proxy) to add defense-in-depth.

Share

EUVD-2025-208833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy