GitHub Advisory DatabaseGHSA-42Q7-95J7-W62M

HistoryMay 15, 2024 - 5:33 p.m.

Mautic is vulnerable to XSS vulnerability

2024-05-1517:33:20

CWE-79

GitHub Advisory Database

github.com

mautic

xss

vulnerability

upgrade

administrator

patch

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.9%

JSON

Impact

This is a cross-site scripting vulnerability which affects every version of Mautic and could allow an attacker unauthorised administrator level access to Mautic.

This vulnerability was reported by Naveen Sunkavally at Horizon3.ai.

Patches

Upgrade to 3.2.4 or 2.16.5.

Link to patch for 2.x versions: https://github.com/mautic/mautic/compare/2.16.4...2.16.5.diff

Link to patch for 3.x versions: https://github.com/mautic/mautic/compare/3.2.2...3.2.4.diff

Workarounds

None

For more information

If you have any questions or comments about this advisory:

Post in https://forum.mautic.org/c/support
Email us at [email protected]

CPENameOperatorVersion
mautic/corelt3.2.4
mautic/corelt2.16.5

CPE	Name	Operator	Version
	mautic/core	lt	3.2.4
	mautic/core	lt	2.16.5

References

forum.mautic.org/c/announcements/16

github.com/advisories/GHSA-42q7-95j7-w62m

github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2020-35125.yaml

github.com/mautic/mautic/security/advisories/GHSA-42q7-95j7-w62m

nvd.nist.gov/vuln/detail/CVE-2020-35125

packagist.org/packages/mautic/core

www.horizon3.ai/disclosures/mautic-unauth-xss-to-rce

www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4