GHSA-73gr-32wg-qhh7

Source

https://github.com/advisories/GHSA-73gr-32wg-qhh7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-73gr-32wg-qhh7/GHSA-73gr-32wg-qhh7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-73gr-32wg-qhh7

Aliases

CVE-2024-47050

Published

2024-09-18T22:05:30Z

Modified

2024-09-27T17:24:04.984073Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Mautic vulnerable to XSS in contact/company tracking (no authentication)

Details

Summary

Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.

Patches

Please update to 4.4.13 or 5.1.1 or later.

Workarounds

None

References

https://owasp.org/www-project-top-ten/2017/A72017-Cross-SiteScripting(XSS) https://owasp.org/www-project-web-security-testing-guide/latest/4-WebApplicationSecurityTesting/07-InputValidationTesting/02-TestingforStoredCrossSite_Scripting

If you have any questions or comments about this advisory: Email us at security@mautic.org

Database specific

{
    "nvd_published_at": "2024-09-18T21:15:13Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-18T22:05:30Z"
}

References

Affected packages

Packagist / mautic/core

Package

Name: mautic/core
Purl: pkg:composer/mautic/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.0

Fixed

4.4.13

Affected versions

2.*

2.6.0

2.6.1

2.7.0

2.7.1

2.8.0

2.8.1

2.8.2

2.9.0-beta

2.9.0

2.9.1

2.9.2

2.10.0-beta

2.10.0

2.10.1

2.11.0-beta

2.11.0

2.12.0-beta

2.12.0

2.12.1-beta

2.12.1

2.12.2-beta

2.12.2

2.13.0-beta

2.13.0

2.13.1

2.14.0-beta

2.14.0

2.14.1-beta

2.14.1

2.14.2-beta

2.14.2

2.15.0-beta

2.15.0

2.15.1-beta

2.15.1

2.15.2-beta

2.15.2

2.15.3-beta

2.15.3

2.16.0-beta

2.16.0

2.16.1-beta

2.16.1

2.16.2-beta

2.16.2

2.16.3-beta

2.16.3

2.16.4

2.16.5

3.*

3.0.0-alpha

3.0.0-beta

3.0.0-beta2

3.0.0

3.0.1

3.0.2-rc

3.0.2

3.1.0-rc

3.1.0

3.1.1-rc

3.1.1

3.1.2-rc

3.1.2

3.2.0-rc

3.2.0

3.2.1

3.2.2-rc

3.2.2

3.2.3

3.2.4

3.2.5-rc

3.2.5

3.3.0-rc

3.3.0

3.3.1

3.3.2-rc

3.3.2

3.3.3-rc

3.3.3

3.3.4

3.3.5

4.*

4.0.0-alpha1

4.0.0-beta

4.0.0-rc

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.2.0-rc

4.2.0-rc1

4.2.0

4.2.1

4.2.2

4.3.0-beta

4.3.0-rc

4.3.0

4.3.1

4.4.0-beta

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

Packagist / mautic/core

Package

Name: mautic/core
Purl: pkg:composer/mautic/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-alpha

Fixed

5.1.1

Affected versions

5.*

5.0.0-alpha

5.0.0-alpha1

5.0.0-beta1

5.0.0-beta2

5.0.0-rc1

5.0.0-rc2

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.1.0

Packagist / mautic/core-lib

Package

Name: mautic/core-lib
Purl: pkg:composer/mautic/core-lib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.0

Fixed

4.4.13

Affected versions

4.*

4.0.0-alpha1

4.0.0-beta

4.0.0-rc

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.2.0-rc

4.2.0-rc1

4.2.0

4.2.1

4.2.2

4.3.0-beta

4.3.0-rc

4.3.0

4.3.1

4.4.0

4.4.1-alpha

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

Packagist / mautic/core-lib

Package

Name: mautic/core-lib
Purl: pkg:composer/mautic/core-lib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-alpha

Fixed

5.1.1

Affected versions

5.*

5.0.0-alpha

5.0.0-alpha1

5.0.0-beta1

5.0.0-beta2

5.0.0-rc1

5.0.0-rc2

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.1.0