MuraCMS Cross-Site Request Forgery Vulnerability in Bundle Creation Allowing Data Exfiltration

A cross-site request forgery (CSRF) vulnerability has been identified in MuraCMS versions through 10.1.10. This vulnerability resides in the bundle creation feature, specifically within the 'csettings.cfc' createBundle method. It allows unauthenticated attackers to manipulate administrators into creating and saving site bundles that contain sensitive information, which are then stored in publicly accessible directories. The exploitation of this vulnerability could lead to unauthorized access and download of confidential data, including user accounts, password hashes, form submissions, email lists, plugins, and site content, all without the administrator's knowledge.

Impact

Exploitation of this vulnerability could result in complete data exfiltration from MuraCMS installations, including sensitive user information and site content, without the knowledge of the administrator.

Remediation

Users are advised to update to MuraCMS version 10.1.11 or later, where this vulnerability has been addressed.