CVE-2022-25772 – mautic/core

Package

Manager: composer
Name: mautic/core
Vulnerable Version: >=0 <4.3.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

EPSS: 0.02072 pctl0.83275

Details

Cross-site Scripting vulnerability in Mautic's tracking pixel functionality ### Impact Mautic allows you to track open rates by using tracking pixels. The tracking information is stored together with extra metadata of the tracking request. The output isn't sufficiently filtered when showing the metadata of the tracking information, which may lead to a vulnerable situation. ### Patches Please upgrade to 4.3.0 ### Workarounds None. ### References * Internally tracked under MST-38 ### For more information If you have any questions or comments about this advisory: * Email us at [security@mautic.org](mailto:security@mautic.org)

Metadata

Created: 2022-05-25T22:36:33Z
Modified: 2022-05-25T22:36:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pjpc-87mp-4332/GHSA-pjpc-87mp-4332.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-pjpc-87mp-4332
Finding: F425
Auto approve: 1