CVE-2025-55041

MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.murasoftware.com/v10/release-notes/#section-version-1014	Release Notes
https://www.murasoftware.com	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-18 16:16

Updated : 2026-03-20 18:12

NVD link : CVE-2025-55041

Mitre link : CVE-2025-55041

CVE.ORG link : CVE-2025-55041

JSON object : View

Products Affected

murasoftware

mura_cms

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2025-55041", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}]}, "published": "2026-03-18T16:16:23.303", "references": [{"url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://www.murasoftware.com", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible."}, {"lang": "es", "value": "MuraCMS hasta 10.1.10 contiene una vulnerabilidad CSRF en la funcionalidad Add To Group para la gesti\u00f3n de usuarios (m\u00e9todo cUsers.cfc addToGroup) que permite a los atacantes escalar privilegios al a\u00f1adir cualquier usuario a cualquier grupo sin las comprobaciones de autorizaci\u00f3n adecuadas. La funci\u00f3n vulnerable carece de validaci\u00f3n de token CSRF y procesa directamente los par\u00e1metros userId y groupId proporcionados por el usuario a trav\u00e9s de getUserManager().createUserInGorup(), lo que permite a los sitios web maliciosos forjar solicitudes que se ejecutan autom\u00e1ticamente cuando un administrador autenticado visita una p\u00e1gina dise\u00f1ada. A\u00f1adir un usuario al grupo Super Admins (usuario s2) no es posible. La explotaci\u00f3n exitosa resulta en que el atacante obtiene una escalada de privilegios tanto horizontalmente a otros grupos como verticalmente al grupo de administradores. La escalada al grupo de usuarios s2 no es posible."}], "lastModified": "2026-03-20T18:12:41.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}