Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14djY4LXJybXctOXh3Zs4AA_rg
Mautic vulnerable to Cross-site Scripting (XSS) - stored (edit form HTML field)
Impact
With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.
Patches
Upgrade to 4.4.13 or 5.1.1 or later.
Workarounds
None
References
- https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting
If you have any questions or comments about this advisory:
Email us at [email protected]
Permalink: https://github.com/advisories/GHSA-xv68-rrmw-9xwfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14djY4LXJybXctOXh3Zs4AA_rg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00047
EPSS Percentile: 0.19404
Identifiers: GHSA-xv68-rrmw-9xwf, CVE-2024-47058
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-xv68-rrmw-9xwf
- https://nvd.nist.gov/vuln/detail/CVE-2024-47058
- https://github.com/mautic/mautic/commit/344b908ef690283e7d8d3fc5cc1327396a1c3046
- https://github.com/mautic/mautic/commit/88153a15b3cea331b7036d956b880c69e81a0032
- https://github.com/advisories/GHSA-xv68-rrmw-9xwf
Blast Radius: 9.3
Affected Packages
packagist:mautic/core-lib
Dependent packages: 56Dependent repositories: 85
Downloads: 44,983 total
Affected Version Ranges: >= 1.0.0-beta, < 4.4.13, >= 5.0.0-alpha, < 5.1.1
Fixed in: 4.4.13, 5.1.1
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0
All unaffected versions: 4.4.13, 5.1.1, 5.2.0, 5.2.1
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 2,009 total
Affected Version Ranges: >= 1.0.0-beta, < 4.4.13, >= 5.0.0-alpha, < 5.1.1
Fixed in: 4.4.13, 5.1.1
All affected versions: 1.0.0, 1.0.0-beta, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0
All unaffected versions: 4.4.13, 5.1.1, 5.2.0, 5.2.1