CVE-2021-27910
Stored XSS vulnerability on Bounce Management Callback
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Insufficient sanitization / filtering allows for arbitrary JavaScript Injection in Mautic using the bounce management callback function. The values submitted in the "error" and "error_related_to" parameters of the POST request of the bounce management callback will be permanently stored and executed once the details page of an affected lead is opened by a Mautic user. An attacker with access to the bounce management callback function (identified with the Mailjet webhook, but it is assumed this will work uniformly across all kinds of webhooks) can inject arbitrary JavaScript Code into the "error" and "error_related_to" parameters of the POST request (POST /mailer/<product / webhook>/callback). It is noted that there is no authentication needed to access this function. The JavaScript Code is stored permanently in the web application and executed every time an authenticated user views the details page of a single contact / lead in Mautic. This means, arbitrary code can be executed to, e.g., steal or tamper with information.
Un saneamiento / filtrado insuficiente permite una inyección arbitraria de JavaScript en Mautic mediante la función bounce management callback. Los valores enviados en los parámetros "error" y "error_related_to" de la petición POST de la devolución de llamada de la administración de rebotes serán almacenados de forma permanente y serán ejecutados una vez que la página de detalles de un lead afectado sea abierta por un usuario de Mautic. Un atacante con acceso a la función de callback de administración de rebotes (identificada con el webhook de Mailjet, pero se supone que esto funcionará uniformemente en todos los tipos de webhooks) puede inyectar código JavaScript arbitrario en los parámetros "error" y "error_related_to" de la petición POST (POST /mailer//callback). Nótese que no se necesita autenticación para acceder a esta función. El código JavaScript es almacenado permanentemente en la aplicación web y es ejecutado cada vez que un usuario autenticado visualiza la página de detalles de un solo contacto / lead en Mautic. Esto significa que puede ser ejecutado un código arbitrario para, por ejemplo, robar o manipular información.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-02 CVE Reserved
- 2021-08-30 CVE Published
- 2024-05-15 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/mautic/mautic/security/advisories/GHSA-86pv-95mj-7w5f | 2021-09-10 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Acquia Search vendor "Acquia" | Mautic Search vendor "Acquia" for product "Mautic" | < 3.3.4 Search vendor "Acquia" for product "Mautic" and version " < 3.3.4" | - |
Affected
| ||||||
| Acquia Search vendor "Acquia" | Mautic Search vendor "Acquia" for product "Mautic" | 4.0.0 Search vendor "Acquia" for product "Mautic" and version "4.0.0" | alpha1 |
Affected
| ||||||
| Acquia Search vendor "Acquia" | Mautic Search vendor "Acquia" for product "Mautic" | 4.0.0 Search vendor "Acquia" for product "Mautic" and version "4.0.0" | beta |
Affected
| ||||||
| Acquia Search vendor "Acquia" | Mautic Search vendor "Acquia" for product "Mautic" | 4.0.0 Search vendor "Acquia" for product "Mautic" and version "4.0.0" | rc |
Affected
| ||||||