Lucene search

[email protected]CVE-2021-27910

HistoryAug 30, 2021 - 4:15 p.m.

CVE-2021-27910

2021-08-3016:15:07

CWE-79

[email protected]

web.nvd.nist.gov

cve-2021-27910

insufficient sanitization

filtering

javascript injection

mautic

bounce management callback

webhooks

post request

authentication

information security

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.0%

JSON

Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. The values submitted in the “error” and “error_related_to” parameters of the POST request of the bounce management callback will be permanently stored and executed once the details page of an affected lead is opened by a Mautic user. An attacker with access to the bounce management callback function (identified with the Mailjet webhook, but it is assumed this will work uniformly across all kinds of webhooks) can inject arbitrary JavaScript Code into the “error” and “error_related_to” parameters of the POST request (POST /mailer/<product / webhook>/callback). It is noted that there is no authentication needed to access this function. The JavaScript Code is stored permanently in the web application and executed every time an authenticated user views the details page of a single contact / lead in Mautic. This means, arbitrary code can be executed to, e.g., steal or tamper with information.

Affected configurations

NVD

Node

acquiamauticRange<3.3.4

acquiamauticMatch4.0.0alpha1

acquiamauticMatch4.0.0beta

acquiamauticMatch4.0.0rc

CPENameOperatorVersion
acquia:mauticacquia mauticlt3.3.4
acquia:mauticacquia mauticeq4.0.0

CPE	Name	Operator	Version
acquia:mautic	acquia mautic	lt	3.3.4
acquia:mautic	acquia mautic	eq	4.0.0

CNA Affected

[
  {
    "product": "Mautic",
    "vendor": "Mautic",
    "versions": [
      {
        "lessThan": "3.3.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.0.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/mautic/mautic/security/advisories/GHSA-86pv-95mj-7w5f

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.0%

JSON

Related for CVE-2021-27910

github1 osv2 prion1 cnvd1 nvd1 cvelist1 friendsofphp1