CVE-2020-35128 – mautic/core

Package

Manager: composer
Name: mautic/core
Vulnerable Version: >=3.2.0 <3.2.4 || >=2.0.0 <2.16.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00651 pctl0.69955

Details

Mautic stored Cross-site Scripting (XSS) Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.

Metadata

Created: 2022-05-24T17:39:28Z
Modified: 2024-04-23T23:00:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-98j2-3jv7-274m/GHSA-98j2-3jv7-274m.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-98j2-3jv7-274m
Finding: F425
Auto approve: 1