Description
The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the MuraCMS system, potentially compromising user data integrity and organizational communications. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that can add malicious addresses with attacker-controlled email addresses and phone numbers, update existing addresses to redirect communications to attacker-controlled locations or deleted legitimate address records to disrupt business operations. This can lead to misdirected sensitive communications, compromise of user privacy through injection of attacker contact information, disruption of legitimate business correspondence, and potential social engineering attacks via the corrupted address data.
Published: 2026-03-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized manipulation of user address data
Action: Patch Immediately
AI Analysis

Impact

A cross‑site request forgery flaw in the cUsers.updateAddress routine allows a malicious site to send requests that add, modify, or delete addresses on behalf of a logged‑in administrator. The attack can inject attacker‑controlled email or phone numbers, overwrite legitimate addresses, or remove them entirely, thereby corrupting business communication channels and exposing sensitive contact information. The vulnerability leverages missing CSRF token validation and directly affects the integrity of user address records within MuraCMS.

Affected Systems

The weakness exists in MuraCMS up to and including version 10.1.10; earlier releases are also impacted, as the issue was not fixed until the 10.1.10 release notes explain the update. Administrators using MuraCMS 10.1.10 or earlier are at risk, regardless of the specific deployment location.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity condition. EPSS shows a probability of exploitation below 1 %, and the flaw is not present in CISA’s Known Exploited Vulnerabilities list. Exploitation requires an authenticated administrator who inadvertently visits a malicious website; the attacker therefore exploits the lack of CSRF validation during an active session. Once the request is sent, the attacker can alter user data with the administrator’s privileges.

Generated by OpenCVE AI on March 20, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MuraCMS to version 10.1.10 or later based on the vendor release notes.
  • Verify that the cUsers.updateAddress endpoint now requires a valid CSRF token.
  • Restrict administrative access to trusted networks and enforce two‑factor authentication to reduce the window of opportunity for CSRF links.
  • Educate administrators to avoid visiting untrusted webpages while logged into the CMS.

Generated by OpenCVE AI on March 20, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title CSRF Vulnerability in MuraCMS User Address Update Function

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Murasoftware
Murasoftware mura Cms
Vendors & Products Murasoftware
Murasoftware mura Cms

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the MuraCMS system, potentially compromising user data integrity and organizational communications. When an authenticated administrator visits a malicious webpage containing the CSRF exploit, their browser automatically submits a hidden form that can add malicious addresses with attacker-controlled email addresses and phone numbers, update existing addresses to redirect communications to attacker-controlled locations or deleted legitimate address records to disrupt business operations. This can lead to misdirected sensitive communications, compromise of user privacy through injection of attacker contact information, disruption of legitimate business correspondence, and potential social engineering attacks via the corrupted address data.
References

Subscriptions

Murasoftware Mura Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-19T13:54:33.731Z

Reserved: 2025-08-06T00:00:00.000Z

Link: CVE-2025-55045

cve-icon Vulnrichment

Updated: 2026-03-19T13:54:17.304Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T16:16:23.670

Modified: 2026-03-20T18:10:39.450

Link: CVE-2025-55045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:09Z

Weaknesses