彙總 murasoftware 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 CSRF與SQL 注入 等問題,部分漏洞可能導致 資料外洩,並影響 生產負載與軟體部署 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2025-67830 | Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection. | [email protected] | 9.8 | 0.01% | 2026-03-18 | 2026-03-21 |
| CVE-2025-67829 | Mura before 10.1.14 allows beanFeed.cfc getQuery sortDirection SQL injection. | [email protected] | 9.8 | 0.01% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55046 | MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that irreversibly delete all trashed content when an authenticated administrator visits a crated webpage. Successful exploitation of the CSRF vulnerability results in potentially catastrophic data loss within the | [email protected] | 8.1 | 0.02% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55045 | The update address CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to manipulate user address information through CSRF. The vulnerable cUsers.updateAddress function lacks CSRF token validation, enabling malicious websites to forge requests that add, modify, or delete user addresses when an authenticated administrator visits a crafted webpage. Successful exploitation of the update address CSRF vulnerability results in unauthorized manipulation of user address information within the | [email protected] | 7.1 | 0.02% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55044 | The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to restore deleted content from the trash to unauthorized locations through CSRF. The vulnerable cTrash.restore function lacks CSRF token validation, enabling malicious websites to forge requests that restore content to arbitrary parent locations when an authenticated administrator visits a crafted webpage. Successful exploitation of the Trash Restore CSRF vulnerability results in unauthorized restoration of deleted | [email protected] | 8.8 | 0.02% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55043 | MuraCMS through 10.1.10 contains a CSRF vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators to create and save site bundles containing sensitive data to publicly accessible directories. This vulnerability enables complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content without administrator knowledge. This CSRF vulnerability enables | [email protected] | 6.5 | 0.03% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55041 | MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authe | [email protected] | 8.0 | 0.02% | 2026-03-18 | 2026-03-20 |
| CVE-2025-55040 | The import form CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to upload and install malicious form definitions through a CSRF attack. The vulnerable cForm.importform function lacks CSRF token validation, enabling malicious websites to forge file upload requests that install attacker-controlled forms when an authenticated administrator visits a crafted webpage. Full exploitation of this vulnerability would require the victim to select a malicious ZIP file containing form definiti | [email protected] | 8.8 | 0.02% | 2026-03-18 | 2026-03-20 |
| CVE-2022-47003 | A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request. | [email protected] | 9.8 | 24.44% | 2023-02-01 | 2025-03-27 |