CVE-2021-27915
published 2024-09-17CVE-2021-27915: Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in…
PriorityP343critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
0.58%
43.5th percentile
Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions.
This could lead to the user having elevated access to the system.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acquia | mautic | — | — |
| acquia | mautic | >= 1.0.0 < 4.4.12 | 4.4.12 |
| mautic | core | >= 1.0.0-beta2 < 4.4.12 | 4.4.12 |
| mautic | mautic | >= 1.0.0-beta2 – <= 4.4.11 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mautic vulnerable to stored cross-site scripting in description field
ghsa·2024-04-11
CVE-2021-27915 [HIGH] CWE-79 Mautic vulnerable to stored cross-site scripting in description field
Mautic vulnerable to stored cross-site scripting in description field
### Impact
Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions.
This could lead to the user having elevated access to the system.
### Patches
Update to 4.4.12
### Workarounds
None
### References
- https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting
If you have any questions or comments about this advisory:
Email us at [[email protected]](mailto:[email protected])
OSV
Mautic vulnerable to stored cross-site scripting in description field
osv·2024-04-11
CVE-2021-27915 [HIGH] Mautic vulnerable to stored cross-site scripting in description field
Mautic vulnerable to stored cross-site scripting in description field
### Impact
Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions.
This could lead to the user having elevated access to the system.
### Patches
Update to 4.4.12
### Workarounds
None
### References
- https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting
If you have any questions or comments about this advisory:
Email us at [[email protected]](mailto:[email protected])
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-17
Published