Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wanBjLTg3bXAtNDMzMs4AArNG
Cross-site Scripting vulnerability in Mautic's tracking pixel functionality
Impact
Mautic allows you to track open rates by using tracking pixels.
The tracking information is stored together with extra metadata of the tracking request.
The output isn't sufficiently filtered when showing the metadata of the tracking information, which may lead to a vulnerable situation.
Patches
Please upgrade to 4.3.0
Workarounds
None.
References
- Internally tracked under MST-38
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wanBjLTg3bXAtNDMzMs4AArNG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 9.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
EPSS Percentage: 0.00216
EPSS Percentile: 0.59121
Identifiers: GHSA-pjpc-87mp-4332, CVE-2022-25772
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-pjpc-87mp-4332
- https://github.com/mautic/mautic/commit/462eb596027fd949efbf9ac5cb2b376805e9d246
- https://nvd.nist.gov/vuln/detail/CVE-2022-25772
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00847.html
- https://github.com/advisories/GHSA-pjpc-87mp-4332
Blast Radius: 4.6
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 2,009 total
Affected Version Ranges: < 4.3.0
Fixed in: 4.3.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2
All unaffected versions: 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.2.0, 5.2.1