Vulnerability Description
A cross-site scripting (XSS) vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Acquia | Mautic | < 2.16.5 |
Related Weaknesses (CWE)
References
- https://forum.mautic.org/c/announcements/16Vendor Advisory
- https://github.com/mautic/mautic/security/advisories/GHSA-42q7-95j7-w62mPatchThird Party Advisory
- https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rceExploitTechnical DescriptionThird Party Advisory
- https://www.mautic.org/blog/community/security-release-all-versions-mautic-priorRelease NotesVendor Advisory
- https://forum.mautic.org/c/announcements/16Vendor Advisory
- https://github.com/mautic/mautic/security/advisories/GHSA-42q7-95j7-w62mPatchThird Party Advisory
- https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rceExploitTechnical DescriptionThird Party Advisory
- https://www.mautic.org/blog/community/security-release-all-versions-mautic-priorRelease NotesVendor Advisory
FAQ
What is CVE-2020-35125?
CVE-2020-35125 is a vulnerability with a CVSS score of 9.6 (CRITICAL). A cross-site scripting (XSS) vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-...
How severe is CVE-2020-35125?
CVE-2020-35125 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-35125?
Check the references section above for vendor advisories and patch information. Affected products include: Acquia Mautic.