XSS in Notifications via saving Dashboards

Moderate

RCheesley published GHSA-fhcx-f7jg-jx3f

Apr 11, 2024

Package

mautic/core (Composer)

Affected versions

< 4.4.12

Patched versions

4.4.12

Description

Impact

Prior to the patched version, logged in users of Mautic are vulnerable to a self XSS vulnerability in the notifications within Mautic.

Users could inject malicious code into the notification when saving Dashboards.

Patches

Update to Mautic 4.4.12.

Workarounds

None

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

If you have any questions or comments about this advisory:

Email us at security@mautic.org

Severity

Moderate

4.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N