CVE-2025-55040

Name of the Vulnerable Software and Affected Versions MuraCMS versions through 10.1.10

Description A Cross-Site Request Forgery (CSRF) issue exists in the import form functionality of MuraCMS. The cForm.importform function does not validate CSRF tokens, allowing attackers to upload and install malicious form definitions. An attacker can forge file upload requests, which are executed when an authenticated administrator visits a malicious webpage. Exploitation involves the administrator selecting a malicious ZIP file containing form definitions, potentially leading to the installation of data collection forms designed to steal sensitive user information. The cForm.importform function is the component susceptible to this issue.

Recommendations MuraCMS versions through 10.1.10 should be updated to a newer, secure version to address this vulnerability. As a temporary workaround, consider restricting access to the import form functionality to trusted administrators only.