CVE-2021-27915
EUVD-2024-106917.09.2024, 14:15
Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions. This could lead to the user having elevated access to the system.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| acquia | mautic | 1.0.0 ≤ 𝑥 < 4.4.12 |
| acquia | mautic | 1.0.0 |
| acquia | mautic | 1.0.0:beta2 |
| acquia | mautic | 1.0.0:beta3 |
| acquia | mautic | 1.0.0:beta4 |
| acquia | mautic | 1.0.0:rc1 |
| acquia | mautic | 1.0.0:rc2 |
| acquia | mautic | 1.0.0:rc3 |
| acquia | mautic | 1.0.0:rc4 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| mautic | mautic | 1.0.0-beta2 ≤ 𝑥 ≤ 4.4.11 | ADP |
Common Weakness Enumeration
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.