Acquia Mautic vulnerabilities
35 known vulnerabilities affecting acquia/mautic.
Total CVEs
35
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH7MEDIUM21LOW1
Vulnerabilities
Page 2 of 2
CVE-2021-27910P4MEDIUMCVSS 6.1fixed in 3.3.4v4.0.02021-08-30
CVE-2021-27910 [MEDIUM] CWE-79 CVE-2021-27910: Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the
Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. The values submitted in the "error" and "error_related_to" parameters of the POST request of the bounce management callback will be permanently stored and executed once the details page of an affected lead is opened
nvd
CVE-2018-11198P4MEDIUMCVSS 6.1v2.13.12019-09-06
CVE-2018-11198 [MEDIUM] CWE-79 CVE-2018-11198: An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json
An issue was discovered in Mautic 2.13.1. There is Stored XSS via the authorUrl field in config.json.
nvd
CVE-2018-11200P4MEDIUMCVSS 6.1v2.13.12019-09-20
CVE-2018-11200 [MEDIUM] CWE-79 CVE-2018-11200: An issue was discovered in Mautic 2.13.1. It has Stored XSS via the company name field.
An issue was discovered in Mautic 2.13.1. It has Stored XSS via the company name field.
nvd
CVE-2022-25774P4MEDIUMCVSS 5.4fixed in 4.4.122024-09-18
CVE-2022-25774 [MEDIUM] CWE-79 CVE-2022-25774: Prior to the patched version, logged in users of Mautic are vulnerable to a self XSS vulnerability i
Prior to the patched version, logged in users of Mautic are vulnerable to a self XSS vulnerability in the notifications within Mautic.
Users could inject malicious code into the notification when saving Dashboards.
nvd
CVE-2021-27917P4MEDIUMCVSS 5.4fixed in 4.4.13≥ 5.0.0, < 5.1.1+1 more2024-09-18
CVE-2021-27917 [MEDIUM] CWE-79 CVE-2021-27917: Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report
Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report.
nvd
CVE-2021-27911P4MEDIUMCVSS 6.1fixed in 3.3.4v4.0.02021-08-30
CVE-2021-27911 [MEDIUM] CWE-79 CVE-2021-27911: Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's f
Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populated from different sources such as UI, API, 3rd party syncing,
nvd
CVE-2021-27912P4MEDIUMCVSS 5.4fixed in 3.3.4v4.0.02021-08-30
CVE-2021-27912 [MEDIUM] CWE-79 CVE-2021-27912: Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic ass
Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken image URL as a remote asset. This can only be leveraged by an authenticated user with permission to create or edit assets.
nvd
CVE-2017-1000488P4MEDIUMCVSS 6.1v2.1.0v2.1.1+18 more2018-01-03
CVE-2017-1000488 [MEDIUM] CWE-79 CVE-2017-1000488: Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a
Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form.
nvd
CVE-2024-47050P4MEDIUMCVSS 6.1≥ 2.6.0, < 4.4.13≥ 5.0.0, < 5.1.12024-09-18
CVE-2024-47050 [MEDIUM] CWE-79 CVE-2024-47050: Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through
Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.
nvd
CVE-2024-47055P4MEDIUMCVSS 4.3≥ 5.0.0, < 5.2.6≥ 6.0.0, < 6.0.22025-05-28
CVE-2024-47055 [MEDIUM] CWE-862 CVE-2024-47055: SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning fun
SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks.
Insecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction of th
nvd
CVE-2024-47059P4MEDIUMCVSS 4.3v5.1.02024-09-18
CVE-2024-47059 [MEDIUM] CWE-200 CVE-2024-47059: When logging in with the correct username and incorrect weak password, the user receives the notific
When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.
However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notification.
This difference could be used to perform username enumeration.
nvd
CVE-2024-47058P4MEDIUMCVSS 4.8≥ 1.0.0, < 4.4.13≥ 5.0.0, < 5.1.12024-09-18
CVE-2024-47058 [MEDIUM] CWE-79 CVE-2024-47058: With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html file
With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.
nvd
CVE-2021-27908P4MEDIUMCVSS 4.4fixed in 3.3.22021-03-23
CVE-2021-27908 [MEDIUM] CWE-200 CVE-2021-27908: In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be expos
In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application.
nvd
CVE-2021-27914P4MEDIUMCVSS 4.8fixed in 4.3.02022-06-01
CVE-2021-27914 [MEDIUM] CWE-79 CVE-2021-27914: A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows
A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable javascript
nvd
CVE-2021-27913P4LOWCVSS 3.5fixed in 3.3.4v4.0.02021-08-30
CVE-2021-27913 [LOW] CWE-327 CVE-2021-27913: The function mt_rand is used to generate session tokens, this function is cryptographically flawed d
The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control This issue affects: Mautic Mautic versions p
nvd
← Previous2 / 2