CVE-2025-9823

EPSS 0.06%
Veröffentlicht 03.09.2025 14:33:26
Zuletzt bearbeitet 04.09.2025 15:35:29
Quelle security@mautic.org
Teams Watchlist Login
Unerledigt Login

SummaryA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.

DetailsThe vulnerability resides in the “Tags” input field on the /s/ajax?action=lead:addLeadTags endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session.

ImpactA Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, manipulate the web page content, and essentially take control of a user's session within an application by executing malicious JavaScript code within the victim's browser, even if the server-side code is secure; essentially enabling them to perform actions as if they were the logged-in user.

References  *   Web Security Academy: Cross-site scripting https://portswigger.net/web-security/cross-site-scripting 
  *   Web Security Academy: Reflected cross-site scripting https://portswigger.net/web-security/cross-site-scripting/reflected

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerMautic

≫

Produkt Mautic

Default Statusunaffected

Version < < 4.4.17

Version >= 4.4.0

Status affected

Version < < 5.2.8

Version >= 5.0.0-alpha

Status affected

Version < < 6.0.5

Version >= 6.0.0-alpha

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.191

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@mautic.org	4.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm

https://nvd.nist.gov/vuln/detail/CVE-2025-9823

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-9823

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-9823

EUVD