CVE-2025-55041

Description

MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible.

CVSS Details

CVSS Score

8.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:* - VULNERABLE

MuraCMS <= 10.1.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

需要生成CSRF PoC代码示例

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55041
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55041
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55041/
[4] VulDB https://vuldb.com/cve/CVE-2025-55041
[5] https://docs.murasoftware.com/v10/release-notes/#section-version-1014
[6] https://www.murasoftware.com

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55041", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:23.303", "lastModified": "2026-03-20T18:12:41.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible."}, {"lang": "es", "value": "MuraCMS hasta 10.1.10 contiene una vulnerabilidad CSRF en la funcionalidad Add To Group para la gestión de usuarios (método cUsers.cfc addToGroup) que permite a los atacantes escalar privilegios al añadir cualquier usuario a cualquier grupo sin las comprobaciones de autorización adecuadas. La función vulnerable carece de validación de token CSRF y procesa directamente los parámetros userId y groupId proporcionados por el usuario a través de getUserManager().createUserInGorup(), lo que permite a los sitios web maliciosos forjar solicitudes que se ejecutan automáticamente cuando un administrador autenticado visita una página diseñada. Añadir un usuario al grupo Super Admins (usuario s2) no es posible. La explotación exitosa resulta en que el atacante obtiene una escalada de privilegios tanto horizontalmente a otros grupos como verticalmente al grupo de administradores. La escalada al grupo de usuarios s2 no es posible."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE"}]}]}], "references": [{"url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.murasoftware.com", "source": "[email protected]", "tags": ["Product"]}]}}