Skip to content

Mautic has an XSS in contact tracking and page hits report

High severity GitHub Reviewed Published Sep 18, 2024 in mautic/mautic • Updated Sep 19, 2024

Package

composer mautic/core (Composer)

Affected versions

>= 1.0.0-beta4, < 4.4.13
>= 5.0.0-alpha, < 5.1.1

Patched versions

4.4.13
5.1.1
composer mautic/core-lib (Composer)
>= 1.0.0-beta4, < 4.4.13
>= 5.0.0-alpha, < 5.1.1
4.4.13
5.1.1

Description

Summary

Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report.

Patches

Please update to 4.4.13 or 5.1.1 or later.

Workarounds

None

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting

If you have any questions or comments about this advisory:

Email us at [email protected]

References

@RCheesley RCheesley published to mautic/mautic Sep 18, 2024
Published to the GitHub Advisory Database Sep 18, 2024
Reviewed Sep 18, 2024
Published by the National Vulnerability Database Sep 18, 2024
Last updated Sep 19, 2024

Severity

High

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2021-27917

GHSA ID

GHSA-xpc5-rr39-v8v2

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.