9

CVE-2021-27915

Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions.

This could lead to the user having elevated access to the system.

Data is provided by the National Vulnerability Database (NVD)
AcquiaMautic Version >= 1.0.0 < 4.4.12
AcquiaMautic Version1.0.0 Update-
AcquiaMautic Version1.0.0 Updatebeta2
AcquiaMautic Version1.0.0 Updatebeta3
AcquiaMautic Version1.0.0 Updatebeta4
AcquiaMautic Version1.0.0 Updaterc1
AcquiaMautic Version1.0.0 Updaterc2
AcquiaMautic Version1.0.0 Updaterc3
AcquiaMautic Version1.0.0 Updaterc4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.1% 0.29
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9 2.3 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
security@mautic.org 7.6 2.1 5.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.