MuraCMS Cross-Site Request Forgery Vulnerability in Address Update Function

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in MuraCMS versions through 10.1.10. This vulnerability allows attackers to manipulate user address information by exploiting the cUsers.updateAddress function, which lacks proper CSRF token validation. As a result, malicious websites can forge requests to add, modify, or delete user addresses when an authenticated administrator visits the crafted webpage. Successful exploitation leads to unauthorized changes in user address data within the MuraCMS system, potentially disrupting user privacy and organizational communications.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of user address information, which can disrupt business operations and user privacy. The injected contact details could be used for social engineering attacks, while deleted addresses could cause misdirection of important communications.

Remediation

Users can update to MuraCMS version 10.1.4 or later, where this vulnerability has been addressed.