Search for packages
| purl | pkg:composer/mautic/core@2.12.0-beta |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1unf-fcpb-t7gr
Aliases: CVE-2020-35129 GHSA-3px5-wjh3-9x6r |
Cross-site Scripting Mautic is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account. |
Affected by 1 other vulnerability. |
|
VCID-2bf9-tpw5-6ybc
Aliases: CVE-2018-8092 GHSA-29v9-2fpx-j5g9 |
Injection Vulnerability Mautic allows CSV injection. |
Affected by 6 other vulnerabilities. |
|
VCID-7nmh-nhm6-abhr
Aliases: CVE-2018-10189 GHSA-vfxj-qg93-7wwc |
Information Exposure An issue was discovered in Mautic It is possible to systematically emulate tracking cookies per contact due to tracking the contact by their auto-incremented ID. Thus, a third party can manipulate the cookie value with +1 to systematically assume being tracked as each contact in Mautic. It is then possible to retrieve information about the contact through forms that have progressive profiling enabled. |
Affected by 6 other vulnerabilities. |
|
VCID-9tjy-3czw-37as
Aliases: CVE-2020-35124 GHSA-39wj-j3jc-858m |
Cross-site Scripting A cross-site scripting (XSS) vulnerability in the assets component of Mautic allows remote attackers to inject executable JavaScript through the Referer header of asset downloads. |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-dh9y-k8zb-zkew
Aliases: CVE-2020-35125 GHSA-42q7-95j7-w62m |
Cross-site Scripting A cross-site scripting (XSS) vulnerability in the forms component of Mautic allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept). |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-ghuh-z1uh-mbf5
Aliases: CVE-2021-27908 GHSA-4hjq-422q-4vpx |
Incorrect Permission Assignment for Critical Resource Secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application. |
Affected by 0 other vulnerabilities. |
|
VCID-hwrr-6qe1-77gn
Aliases: CVE-2018-8071 GHSA-5w74-jx7m-x6hv |
Cross-site Scripting Mautic before v2.13.0 has stored XSS via a theme config file. |
Affected by 6 other vulnerabilities. |
|
VCID-j624-5zx3-c7c8
Aliases: CVE-2021-3142 GHSA-p7v4-gm6j-cw9m |
XSS in Mautic ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-p9jy-6mbb-ukad
Aliases: CVE-2020-35128 GHSA-98j2-3jv7-274m |
Cross-site Scripting Mautic is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system. |
Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-4kqw-y2ds-eue2 | Cross-site Scripting Mautic contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial of service and execution of javascript code. |
CVE-2017-1000506
GHSA-358v-cqjc-2pcq |
| VCID-4yn2-rg69-hqcs | Path Traversal Any authorized Mautic user could use the Filemanager to download any file from the server that the web user has access to. |
CVE-2017-1000490
GHSA-qpgw-2c72-4c89 |
| VCID-8uef-cxb8-sfcu | Cross-site Scripting Mautic is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form. |
CVE-2017-1000488
GHSA-qjhr-c23f-w76q |
| VCID-k2tn-w8n6-8ba1 | Improper Authentication Mautic allows a disabled user to still login using email address. |
CVE-2017-1000489
GHSA-6x98-fx9j-7c78 |