Mautic vulnerable to cross-site scripting in notifications via saving Dashboards

2024-04-1213:52:54

Google

osv.dev

mautic

cross-site scripting

notifications

dashboards

vulnerability

patches

self xss

malicious code

owasp

software

6.2 Medium

AI Score

Confidence

High

JSON

Impact

Prior to the patched version, logged in users of Mautic are vulnerable to a self XSS vulnerability in the notifications within Mautic.

Users could inject malicious code into the notification when saving Dashboards.

Patches

Update to Mautic 4.4.12.

Workarounds

None

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

If you have any questions or comments about this advisory:

Email us at [email protected]

CPENameOperatorVersion
mautic/coreeq1.1.3
mautic/coreeq3.2.0-rc
mautic/coreeq2.11.0-beta
mautic/coreeq3.0.2
mautic/coreeq4.4.1
mautic/coreeq3.1.2
mautic/coreeq3.2.2-rc
mautic/coreeq4.4.7
mautic/coreeq2.12.1-beta
mautic/coreeq3.1.1

Name	Operator	Version
mautic/core	eq	1.1.3
mautic/core	eq	3.2.0-rc
mautic/core	eq	2.11.0-beta
mautic/core	eq	3.0.2
mautic/core	eq	4.4.1
mautic/core	eq	3.1.2
mautic/core	eq	3.2.2-rc
mautic/core	eq	4.4.7
mautic/core	eq	2.12.1-beta
mautic/core	eq	3.1.1