CVE-2025-55046

High CVSS: 8.1

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.

Vendor

Murasoftware

Product

Mura Cms

CWE

CWE-352

Yayın Tarihi

2026-03-18 16:16:23

Güncelleme

2026-03-20 18:10:09

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-352 Mura Cms HIGH Murasoftware 2026

Referanslar

https://docs.murasoftware.com/v10/release-notes/#section-version-1014 https://www.murasoftware.com

Benzer Kayıtlar

Critical

CVE-2025-67830

Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection.

Critical

CVE-2025-67829

Mura before 10.1.14 allows beanFeed.cfc getQuery sortDirection SQL injection.

High

CVE-2025-55040

The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to upload and install malicious form defi…

High

CVE-2025-55041

MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc…

Medium

CVE-2025-55043

MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle m…

High

CVE-2025-55044

The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to restore deleted content from the tra…