CVE-2025-55046

{"id": "CVE-2025-55046", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-18T16:16:23.790", "references": [{"url": "https://docs.murasoftware.com/v10/release-notes/#section-version-1014", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://www.murasoftware.com", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the MuraCMS system. When an authenticated administrator visits a malicious page containing the CSRF exploit, their browser automatically submits a hidden form that permanently empties the entire trash system without any validation, confirmation dialog, or user consent."}, {"lang": "es", "value": "MuraCMS hasta la versi\u00f3n 10.1.10 contiene una vulnerabilidad CSRF que permite a los atacantes destruir permanentemente todo el contenido eliminado almacenado en el sistema de papelera a trav\u00e9s de un simple ataque CSRF. La funci\u00f3n vulnerable cTrash.empty carece de validaci\u00f3n de token CSRF, lo que permite a sitios web maliciosos forjar solicitudes que eliminan irreversiblemente todo el contenido en la papelera cuando un administrador autenticado visita una p\u00e1gina web creada. La explotaci\u00f3n exitosa de la vulnerabilidad CSRF resulta en una p\u00e9rdida de datos potencialmente catastr\u00f3fica dentro del sistema MuraCMS. Cuando un administrador autenticado visita una p\u00e1gina maliciosa que contiene el exploit CSRF, su navegador env\u00eda autom\u00e1ticamente un formulario oculto que vac\u00eda permanentemente todo el sistema de papelera sin ninguna validaci\u00f3n, di\u00e1logo de confirmaci\u00f3n o consentimiento del usuario."}], "lastModified": "2026-03-20T18:10:09.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:murasoftware:mura_cms:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB4646EE-1255-4B42-890A-E0B57EBFE2CE"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}