34 results (0.026 seconds)

CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0

Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable. • https://github.com/mautic/mautic/security/advisories/GHSA-qf6m-6m4g-rmrc • CWE-306: Missing Authentication for Critical Function •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak. However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notification. This difference could be used to perform username enumeration. • https://github.com/mautic/mautic/security/advisories/GHSA-8vff-35qm-qjvv • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0

Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report. • https://github.com/mautic/mautic/security/advisories/GHSA-xpc5-rr39-v8v2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable. • https://github.com/mautic/mautic/security/advisories/GHSA-73gr-32wg-qhh7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 2.9EPSS: 0%CPEs: 2EXPL: 0

With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session. • https://github.com/mautic/mautic/security/advisories/GHSA-xv68-rrmw-9xwf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •