CVE-2025-55043

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-55043
MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create and save site bundles containing sensitive data to publicly accessible directories. This vulnerability enables complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content without administrator knowledge. This CSRF vulnerability enables complete data exfiltration from MuraCMS installations without requiring authentication. Attackers can force administrators to unknowingly create site bundles containing sensitive data, which are saved to publicly accessible web directories. The attack executes silently, leaving administrators unaware that confidential information has been compromised and is available for unauthorized download.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://docs.murasoftware.com/v10/release-notes/#section-version-1014 Release Notes
https://www.murasoftware.com Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*
History

20 Mar 2026, 18:12

Type Values Removed Values Added
First Time Murasoftware
Murasoftware mura Cms
References () https://docs.murasoftware.com/v10/release-notes/#section-version-1014 - () https://docs.murasoftware.com/v10/release-notes/#section-version-1014 - Release Notes
References () https://www.murasoftware.com - () https://www.murasoftware.com - Product
CPE cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*

19 Mar 2026, 14:16

Type Values Removed Values Added
CWE CWE-352
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5

18 Mar 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-18 16:16

Updated : 2026-03-20 18:12

NVD link : CVE-2025-55043

Mitre link : CVE-2025-55043

CVE.ORG link : CVE-2025-55043

JSON object : View

Products Affected

murasoftware

  • mura_cms
CWE
CWE-352

Cross-Site Request Forgery (CSRF)