2.7
CVE-2025-9821
- EPSS 0.28%
- Veröffentlicht 03.09.2025 09:39:01
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle security@mautic.org
- CVE-Watchlists
- Unerledigt
SSRF via webhook function
SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed DetailsWhen sending webhooks, the destination is not validated, causing SSRF. ImpactBypass of firewalls to interact with internal services. See https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ for more potential impact. Resources https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for more information on SSRF and its fix.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerMautic
≫
Produkt
Mautic
Default Statusunaffected
Version <=
< 4.4.17
Version
>= 4.4.0
Status
affected
Version <=
< 5.2.8
Version
>= 5.0.0-alpha
Status
affected
Version <=
< 6.0.5
Version
>= 6.0.0-alpha
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.198 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@mautic.org | 2.7 | 1.2 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/mautic/mautic/security/advisories/GHSA-hj6f-7hp7-xg69