FKIE_CVE-2025-55046

Vulnerability from fkie_nvd - Published: 2026-03-18 16:16 - Updated: 2026-03-20 18:10
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Summary
MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent.
References
cve@mitre.orghttps://docs.murasoftware.com/v10/release-notes/#section-version-1014Release Notes
cve@mitre.orghttps://www.murasoftware.comProduct
Impacted products
Vendor Product Version
murasoftware mura_cms -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent."
    },
    {
      "lang": "es",
      "value": "MuraCMS hasta la versi\u00f3n 10.1.10 contiene una vulnerabilidad CSRF que permite a los atacantes destruir permanentemente todo el contenido eliminado almacenado en el sistema de papelera a trav\u00e9s de un simple ataque CSRF. La funci\u00f3n vulnerable cTrash.empty carece de validaci\u00f3n de token CSRF, lo que permite a sitios web maliciosos forjar solicitudes que eliminan irreversiblemente todo el contenido en la papelera cuando un administrador autenticado visita una p\u00e1gina web creada. La explotaci\u00f3n exitosa de la vulnerabilidad CSRF resulta en una p\u00e9rdida de datos potencialmente catastr\u00f3fica dentro del sistema MuraCMS. Cuando un administrador autenticado visita una p\u00e1gina maliciosa que contiene el exploit CSRF, su navegador env\u00eda autom\u00e1ticamente un formulario oculto que vac\u00eda permanentemente todo el sistema de papelera sin ninguna validaci\u00f3n, di\u00e1logo de confirmaci\u00f3n o consentimiento del usuario."
    }
  ],
  "id": "CVE-2025-55046",
  "lastModified": "2026-03-20T18:10:09.260",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T16:16:23.790",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://www.murasoftware.com"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.