MuraCMS Cross-Site Request Forgery Vulnerability in Form Import Function

A cross-site request forgery (CSRF) vulnerability has been identified in MuraCMS versions through 10.1.10. This vulnerability allows attackers to upload and install malicious form definitions by exploiting the cForm.importform function, which lacks proper CSRF token validation. When an authenticated administrator visits a crafted webpage, the vulnerability can be exploited by automatically generating a ZIP file containing form definitions that, once uploaded, create data collection forms capable of stealing sensitive information. The issue arises from the absence of CSRF protection, enabling malicious websites to forge file upload requests that are executed under the context of the authenticated user.

Impact

Exploitation of this vulnerability could lead to the unauthorized installation of malicious data collection forms on the targeted MuraCMS website, potentially allowing attackers to harvest sensitive user information.

Remediation

Users can update to MuraCMS version 10.1.11 or later, where this vulnerability has been addressed.