FKIE_CVE-2025-55041

Vulnerability from fkie_nvd - Published: 2026-03-18 16:16 - Updated: 2026-03-20 18:12
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible.
References
cve@mitre.orghttps://docs.murasoftware.com/v10/release-notes/#section-version-1014Release Notes
cve@mitre.orghttps://www.murasoftware.comProduct
Impacted products
Vendor Product Version
murasoftware mura_cms -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible."
    },
    {
      "lang": "es",
      "value": "MuraCMS hasta 10.1.10 contiene una vulnerabilidad CSRF en la funcionalidad Add To Group para la gesti\u00f3n de usuarios (m\u00e9todo cUsers.cfc addToGroup) que permite a los atacantes escalar privilegios al a\u00f1adir cualquier usuario a cualquier grupo sin las comprobaciones de autorizaci\u00f3n adecuadas. La funci\u00f3n vulnerable carece de validaci\u00f3n de token CSRF y procesa directamente los par\u00e1metros userId y groupId proporcionados por el usuario a trav\u00e9s de getUserManager().createUserInGorup(), lo que permite a los sitios web maliciosos forjar solicitudes que se ejecutan autom\u00e1ticamente cuando un administrador autenticado visita una p\u00e1gina dise\u00f1ada. A\u00f1adir un usuario al grupo Super Admins (usuario s2) no es posible. La explotaci\u00f3n exitosa resulta en que el atacante obtiene una escalada de privilegios tanto horizontalmente a otros grupos como verticalmente al grupo de administradores. La escalada al grupo de usuarios s2 no es posible."
    }
  ],
  "id": "CVE-2025-55041",
  "lastModified": "2026-03-20T18:12:41.553",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T16:16:23.303",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://www.murasoftware.com"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.