VulnerableCode Package Details - pkg:composer/mautic/core@3.2.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-ghuh-z1uh-mbf5 Aliases: CVE-2021-27908 GHSA-4hjq-422q-4vpx	Incorrect Permission Assignment for Critical Resource Secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application.	3.3.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ghuh-z1uh-mbf5
Aliases:
CVE-2021-27908
GHSA-4hjq-422q-4vpx

Incorrect Permission Assignment for Critical Resource Secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application.

3.3.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1unf-fcpb-t7gr	Cross-site Scripting Mautic is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account.	CVE-2020-35129 GHSA-3px5-wjh3-9x6r
VCID-9tjy-3czw-37as	Cross-site Scripting A cross-site scripting (XSS) vulnerability in the assets component of Mautic allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.	CVE-2020-35124 GHSA-39wj-j3jc-858m
VCID-dh9y-k8zb-zkew	Cross-site Scripting A cross-site scripting (XSS) vulnerability in the forms component of Mautic allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).	CVE-2020-35125 GHSA-42q7-95j7-w62m
VCID-j624-5zx3-c7c8	XSS in Mautic REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.	CVE-2021-3142 GHSA-p7v4-gm6j-cw9m
VCID-p9jy-6mbb-ukad	Cross-site Scripting Mautic is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.	CVE-2020-35128 GHSA-98j2-3jv7-274m

Vulnerability

Summary

Aliases

VCID-1unf-fcpb-t7gr

Cross-site Scripting Mautic is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account.

CVE-2020-35129
GHSA-3px5-wjh3-9x6r

VCID-9tjy-3czw-37as

Cross-site Scripting A cross-site scripting (XSS) vulnerability in the assets component of Mautic allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.

CVE-2020-35124
GHSA-39wj-j3jc-858m

VCID-dh9y-k8zb-zkew

Cross-site Scripting A cross-site scripting (XSS) vulnerability in the forms component of Mautic allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).

CVE-2020-35125
GHSA-42q7-95j7-w62m

VCID-j624-5zx3-c7c8

XSS in Mautic ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

CVE-2021-3142
GHSA-p7v4-gm6j-cw9m

VCID-p9jy-6mbb-ukad

Cross-site Scripting Mautic is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.

CVE-2020-35128
GHSA-98j2-3jv7-274m

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:47:19.257659+00:00	GitLab Importer	Affected by	VCID-ghuh-z1uh-mbf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2021-27908.yml	38.6.0
2026-06-04T17:59:30.714777+00:00	GithubOSV Importer	Fixing	VCID-p9jy-6mbb-ukad	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-98j2-3jv7-274m/GHSA-98j2-3jv7-274m.json	38.6.0
2026-06-04T17:53:41.117027+00:00	GithubOSV Importer	Fixing	VCID-1unf-fcpb-t7gr	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3px5-wjh3-9x6r/GHSA-3px5-wjh3-9x6r.json	38.6.0
2026-06-04T17:27:53.009209+00:00	GithubOSV Importer	Fixing	VCID-9tjy-3czw-37as	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-39wj-j3jc-858m/GHSA-39wj-j3jc-858m.json	38.6.0
2026-06-04T17:27:51.576041+00:00	GithubOSV Importer	Fixing	VCID-j624-5zx3-c7c8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-p7v4-gm6j-cw9m/GHSA-p7v4-gm6j-cw9m.json	38.6.0
2026-06-04T16:51:29.822154+00:00	GithubOSV Importer	Fixing	VCID-dh9y-k8zb-zkew	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-42q7-95j7-w62m/GHSA-42q7-95j7-w62m.json	38.6.0
2026-06-04T16:20:47.904048+00:00	GitLab Importer	Fixing	VCID-dh9y-k8zb-zkew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2020-35125.yml	38.6.0
2026-06-04T16:20:46.350756+00:00	GitLab Importer	Fixing	VCID-j624-5zx3-c7c8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2021-3142.yml	38.6.0
2026-06-04T16:20:46.149126+00:00	GitLab Importer	Fixing	VCID-9tjy-3czw-37as	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2020-35124.yml	38.6.0
2026-06-04T16:20:44.829656+00:00	GitLab Importer	Fixing	VCID-p9jy-6mbb-ukad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2020-35128.yml	38.6.0
2026-06-04T16:20:44.634810+00:00	GitLab Importer	Fixing	VCID-1unf-fcpb-t7gr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mautic/core/CVE-2020-35129.yml	38.6.0