Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-VFXJ-QG93-7WWC
HistoryJan 19, 2021 - 9:16 p.m.

Mautic Sessions could be hijacked due to tracking contacts by an auto-incremented ID

2021-01-1921:16:21
Google
osv.dev
8
mautic
contact tracking
vulnerability
cookie manipulation
progressive profiling
security advisory

EPSS

0.002

Percentile

54.2%

JSON

Impact

An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It is possible to systematically emulate tracking cookies per contact due to tracking the contact by their auto-incremented ID. Thus, a third party can manipulate the cookie value with +1 to systematically assume being tracked as each contact in Mautic. It is then possible to retrieve information about the contact through forms that have progressive profiling enabled.

Patches

Update to 2.13.0 or later

Workarounds

None

For more information

If you have any questions or comments about this advisory:

Related

cvelist 1
nvd 1
github 1
osv 1
openvas 1
cve 1
veracode 1
prion 1
cvelist
cvelist
CVE-2018-10189
2018-04-17 20:00:00
nvd
nvd
CVE-2018-10189
2018-04-17 20:29:00
github
github
Mautic Sessions could be hijacked due to tracking contacts by an auto-incremented ID
2021-01-19 21:16:21
osv
osv
CVE-2018-10189
2018-04-17 20:29:00
openvas
openvas
Mautic 2.12 Information Disclosure Vulnerability
2018-04-19 00:00:00
cve
cve
CVE-2018-10189
2018-04-17 20:29:00
veracode
veracode
Information DIsclosure
2021-01-20 18:06:02
prion
prion
Design/Logic Flaw
2018-04-17 20:29:00

EPSS

0.002

Percentile

54.2%

JSON
Related for OSV:GHSA-VFXJ-QG93-7WWC
cvelist1nvd1github1osv1openvas1cve1veracode1prion1