This is a cross-site scripting vulnerability relating to creating/editing a company which requires the user to be logged in as an administrator to be executed.
This vulnerability was reported by Dardan Prebreza at Bishop Fox.
Upgrade to 3.2.4 or 2.16.5.
Link to patch for 2.x versions: https://github.com/mautic/mautic/compare/2.16.4...2.16.5.diff
Link to patch for 3.x versions: https://github.com/mautic/mautic/compare/3.2.2...3.2.4.diff
None
https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
mautic/core | lt | 2.16.5 | |
mautic/core | lt | 3.2.4 |
github.com/advisories/GHSA-p7v4-gm6j-cw9m
github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-3142.yaml
github.com/mautic/mautic/commit/ba31db23e664f889da55a29ff27f797e2ab5cb1b
github.com/mautic/mautic/releases/tag/3.2.4
github.com/mautic/mautic/security/advisories/GHSA-p7v4-gm6j-cw9m
nvd.nist.gov/vuln/detail/CVE-2021-3142
www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-3
www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4