FKIE_CVE-2025-55045

Vulnerability from fkie_nvd - Published: 2026-03-18 16:16 - Updated: 2026-03-20 18:10
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Summary
The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the MuraCMS system, potentially compromising user data integrity and organizational communications. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that can add malicious addresses with attacker-controlled email addresses and phone numbers, update existing addresses to redirect communications to attacker-controlled locations or deleted legitimate address records to disrupt business operations. This can lead to misdirected sensitive communications, compromise of user privacy through injection of attacker contact information, disruption of legitimate business correspondence, and potential social engineering attacks via the corrupted address data.
References
cve@mitre.orghttps://docs.murasoftware.com/v10/release-notes/Release Notes
cve@mitre.orghttps://docs.murasoftware.com/v10/release-notes/#section-version-1014Release Notes
cve@mitre.orghttps://www.murasoftware.comProduct
Impacted products
Vendor Product Version
murasoftware mura_cms -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the MuraCMS system, potentially compromising user data integrity and organizational communications. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that can add malicious addresses with attacker-controlled email addresses and phone numbers, update existing addresses to redirect communications to attacker-controlled locations or deleted legitimate address records to disrupt business operations. This can lead to misdirected sensitive communications, compromise of user privacy through injection of attacker contact information, disruption of legitimate business correspondence, and potential social engineering attacks via the corrupted address data."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad CSRF de actualizaci\u00f3n de direcci\u00f3n en MuraCMS hasta la versi\u00f3n 10.1.10 permite a los atacantes manipular la informaci\u00f3n de direcci\u00f3n del usuario a trav\u00e9s de CSRF. La funci\u00f3n vulnerable cUsers.updateAddress carece de validaci\u00f3n de token CSRF, lo que permite a sitios web maliciosos forjar solicitudes que a\u00f1aden, modifican o eliminan direcciones de usuario cuando un administrador autenticado visita una p\u00e1gina web dise\u00f1ada. La explotaci\u00f3n exitosa de la vulnerabilidad CSRF de actualizaci\u00f3n de direcci\u00f3n resulta en la manipulaci\u00f3n no autorizada de la informaci\u00f3n de direcci\u00f3n del usuario dentro del sistema MuraCMS, comprometiendo potencialmente la integridad de los datos del usuario y las comunicaciones organizacionales. Cuando un administrador autenticado visita una p\u00e1gina web maliciosa que contiene el exploit CSRF, su navegador env\u00eda autom\u00e1ticamente un formulario oculto que puede a\u00f1adir direcciones maliciosas con direcciones de correo electr\u00f3nico y n\u00fameros de tel\u00e9fono controlados por el atacante, actualizar direcciones existentes para redirigir comunicaciones a ubicaciones controladas por el atacante o eliminar registros de direcciones leg\u00edtimas para interrumpir las operaciones comerciales. Esto puede llevar a comunicaciones sensibles mal dirigidas, compromiso de la privacidad del usuario mediante la inyecci\u00f3n de informaci\u00f3n de contacto del atacante, interrupci\u00f3n de la correspondencia comercial leg\u00edtima y posibles ataques de ingenier\u00eda social a trav\u00e9s de los datos de direcci\u00f3n corruptos."
    }
  ],
  "id": "CVE-2025-55045",
  "lastModified": "2026-03-20T18:10:39.450",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T16:16:23.670",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://docs.murasoftware.com/v10/release-notes/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://www.murasoftware.com"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.