EUVD-2025-208833

| CVE-2025-55045 HIGH
2026-03-18 mitre
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 16:15 euvd
EUVD-2025-208833
Analysis Generated
Mar 18, 2026 - 16:15 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
HIGH 7.1

Tags

CSRF

Description

The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the MuraCMS system, potentially compromising user data integrity and organizational communications. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that can add malicious addresses with attacker-controlled email addresses and phone numbers, update existing addresses to redirect communications to attacker-controlled locations or deleted legitimate address records to disrupt business operations. This can lead to misdirected sensitive communications, compromise of user privacy through injection of attacker contact information, disruption of legitimate business correspondence, and potential social engineering attacks via the corrupted address data.

Analysis

A Cross-Site Request Forgery (CSRF) vulnerability exists in MuraCMS through version 10.1.10 affecting the cUsers.updateAddress function, which lacks proper CSRF token validation. Attackers can exploit this by crafting malicious webpages that, when visited by an authenticated administrator, automatically submit hidden forms to add, modify, or delete user address records without the administrator's knowledge or consent. Successful exploitation enables unauthorized manipulation of user address data, potentially redirecting sensitive communications to attacker-controlled addresses, compromising user privacy, and disrupting legitimate business operations through injection of malicious contact information.

Technical Context

The vulnerability resides in MuraCMS's address management functionality, specifically the cUsers.updateAddress function which handles CRUD operations on user address records within the content management system. The root cause is classified as CWE (Cross-Site Request Forgery) — a failure to implement anti-CSRF tokens or validation mechanisms in the address update endpoint. CSRF vulnerabilities occur when a web application does not verify that requests originating from a user's browser session are intentional; an attacker can craft HTML forms or JavaScript that automatically submit requests to the vulnerable endpoint using the victim's existing authenticated session cookies. MuraCMS versions up to 10.1.10 lack proper token-based request validation, allowing forged requests to be processed as if they were legitimate administrator actions. This affects all installations where administrators may visit untrusted webpages while authenticated to the MuraCMS admin panel.

Affected Products

MuraCMS versions through 10.1.10 are affected. The vulnerability has been confirmed in the official Mura Software documentation and release notes available at https://docs.murasoftware.com/v10/release-notes/, with patch availability noted in version 10.1.4 release notes at https://docs.murasoftware.com/v10/release-notes/#section-version-1014. CPE data indicates the affected product is Mura CMS (vendor: murasoftware); however, the specific CPE string in the advisory is listed as generic placeholder entries. Organizations running MuraCMS 10.1.10 or earlier should prioritize identification and patching of vulnerable instances.

Remediation

Upgrade MuraCMS to a patched version released after 10.1.10 as documented in the Mura Software release notes at https://docs.murasoftware.com/v10/release-notes/. The vendor has released security fixes addressing CSRF token validation in the updateAddress function; verify the specific patch version requirement in your deployment environment. As an interim mitigation pending patch deployment, restrict administrator access to the MuraCMS admin panel via IP whitelisting or VPN enforcement to reduce the attack surface for social engineering-based CSRF attacks. Additionally, implement Security-aware training for administrators to avoid visiting untrusted webpages while authenticated, and consider deploying browser-based CSRF protections such as SameSite cookie policies (if configurable via application or reverse proxy) to add defense-in-depth.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-208833 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy