汇总 murasoftware 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 CSRF与SQL 注入 等问题,部分漏洞可能导致 数据泄露,并影响 生产负载与软件部署 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-67830 | Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection. | [email protected] | 9.8 | 0.32% | 2026-03-18 | 2026-03-21 |
| CVE-2025-67829 | Mura before 10.1.14 allows beanFeed.cfc getQuery sortDirection SQL injection. | [email protected] | 9.8 | 0.26% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55046 | MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the | [email protected] | 8.1 | 0.12% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55045 | The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the | [email protected] | 7.1 | 0.11% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55044 | The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to restore deleted content from the trash to unauthorized locations through CSRF. The vulnerable cTrash.restore function lacks CSRF token validation, enabling malicious websites to forge requests that restore content to arbitrary parent locations when an authenticated administrator visits a crafted webpage. Successful exploitation of the Trash Restore CSRF vulnerability results in unauthorized restoration of deleted | [email protected] | 8.8 | 0.13% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55043 | MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create and save site bundles containing sensitive data to publicly accessible directories. This vulnerability enables complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content without administrator knowledge. This CSRF vulnerability enables | [email protected] | 6.5 | 0.16% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55041 | MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authe | [email protected] | 8.0 | 0.13% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55040 | The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to upload and install malicious form definitions through a CSRF attack. The vulnerable cForm.importform function lacks CSRF token validation, enabling malicious websites to forge file upload requests that install attacker-controlled forms when an authenticated administrator visits a crafted webpage. Full exploitation of this vulnerability would require the victim to select a malicious ZIP file containing form definiti | [email protected] | 8.8 | 0.16% | 2026-03-18 | 2026-03-20 |
| CVE-2022-47003 | A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request. | [email protected] | 9.8 | 3.64% | 2023-02-01 | 2025-03-27 |