CVE-2022-47003

Mura CMS before 10.0.580 is vulnerable to authentication bypass via the Remember Me feature. The weakness allows an attacker to bypass login through a crafted web request, enabling access to sensitive data and potential unauthorized actions on the affected site. Affected software: Mura CMS versio...

CVE-2025-55041

CVE-2025-55041 affects MuraCMS up to version 10.1.10. The vulnerability is a CSRF flaw in the Add To Group function for user management (cUsers.cfc addToGroup) that processes userId and groupId via getUserManager().createUserInGorup() without CSRF token validation. This enables a forged request t...

CVE-2025-55043

MuraCMS ≤ 10.1.10 suffers a CSRF in the bundle creation function (csettings.cfc createBundle) that can force administrators to generate and store site bundles containing sensitive data in publicly accessible directories. This unauthenticated CSRF enables complete data exfiltration (user accounts,...

CVE-2025-55044

The CVE-2025-55044 entry concerns MuraCMS (up to v10.1.10) and a CSRF flaw in the cTrash.restore function. The vulnerability allows an authenticated administrator visiting a crafted page to trigger CSRF requests that restore content from the trash to arbitrary parent locations, due to missing CSR...

CVE-2025-55045

CVE-2025-55045 affects MuraCMS up to version 10.1.10. The issue is a CSRF in the cUsers.updateAddress function that lacks CSRF token validation, allowing a crafted page to forge requests when an authenticated administrator visits it. This can add, modify, or delete user addresses, e.g., with atta...

CVE-2025-55046

Summary: MuraCMS up to version 10.1.10 has a CSRF vulnerability in the vulnerable cTrash.empty function that lacks CSRF token validation. When an authenticated administrator visits a page containing a CSRF exploit, a forged request can permanently delete all trashed content, causing irreversible ...

CVE-2025-55040

The CVE-2025-55040 affects MuraCMS up to version 10.1.10. The issue is a CSRF in the cForm.importform function that lacks CSRF token validation, allowing a malicious site to forge file-upload requests. When an authenticated administrator visits a crafted page and selects a ZIP containing attacker...

CVE-2025-67829

CVE-2025-67829 affects the Mura CMS prior to version 10.1.14, where the issue resides in the beanFeed.cfc getQuery sortDirection path and enables a SQL injection . The vulnerability is described as allowing malicious input to influence SQL logic, potentially affecting data access via the affected...

CVE-2025-67830

Mura before 10.1.14 is affected by an SQL injection in beanFeed.cfc getQuery sortby. The vulnerability stems from unsafely handling the sortby parameter in that function. No exploitation details are provided in the documents. Remediation details are not specified here.