Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14djY4LXJybXctOXh3Zs4AA_rg

Mautic vulnerable to Cross-site Scripting (XSS) - stored (edit form HTML field)

Impact

With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.

Patches

Upgrade to 4.4.13 or 5.1.1 or later.

Workarounds

None

References

If you have any questions or comments about this advisory:

Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-xv68-rrmw-9xwf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14djY4LXJybXctOXh3Zs4AA_rg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago


CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS Percentage: 0.00047
EPSS Percentile: 0.19404

Identifiers: GHSA-xv68-rrmw-9xwf, CVE-2024-47058
References: Repository: https://github.com/mautic/mautic
Blast Radius: 9.3

Affected Packages

packagist:mautic/core-lib
Dependent packages: 56
Dependent repositories: 85
Downloads: 44,983 total
Affected Version Ranges: >= 1.0.0-beta, < 4.4.13, >= 5.0.0-alpha, < 5.1.1
Fixed in: 4.4.13, 5.1.1
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0
All unaffected versions: 4.4.13, 5.1.1, 5.2.0, 5.2.1
packagist:mautic/core
Dependent packages: 2
Dependent repositories: 3
Downloads: 2,009 total
Affected Version Ranges: >= 1.0.0-beta, < 4.4.13, >= 5.0.0-alpha, < 5.1.1
Fixed in: 4.4.13, 5.1.1
All affected versions: 1.0.0, 1.0.0-beta, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0
All unaffected versions: 4.4.13, 5.1.1, 5.2.0, 5.2.1