Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA3djQtZ202ai1jdzlt
XSS in Mautic
Impact
This is a cross-site scripting vulnerability relating to creating/editing a company which requires the user to be logged in as an administrator to be executed.
This vulnerability was reported by Dardan Prebreza at Bishop Fox.
Patches
Upgrade to 3.2.4 or 2.16.5.
Link to patch for 2.x versions: https://github.com/mautic/mautic/compare/2.16.4...2.16.5.diff
Link to patch for 3.x versions: https://github.com/mautic/mautic/compare/3.2.2...3.2.4.diff
Workarounds
None
References
https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4
For more information
If you have any questions or comments about this advisory:
- Post in https://forum.mautic.org/c/support
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA3djQtZ202ai1jdzlt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: 3 months ago
Identifiers: GHSA-p7v4-gm6j-cw9m, CVE-2021-3142
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-p7v4-gm6j-cw9m
- https://nvd.nist.gov/vuln/detail/CVE-2021-3142
- https://github.com/mautic/mautic/commit/ba31db23e664f889da55a29ff27f797e2ab5cb1b
- https://github.com/mautic/mautic/releases/tag/3.2.4
- https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-3
- https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-3142.yaml
- https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4
- https://github.com/advisories/GHSA-p7v4-gm6j-cw9m
Blast Radius: 0.0
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 1,952 total
Affected Version Ranges: >= 2.0.0, < 2.16.5, >= 3.0.0, < 3.2.4
Fixed in: 2.16.5, 3.2.4
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.16.5, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4