{"id":"GHSA-p7v4-gm6j-cw9m","summary":"XSS in Mautic","details":"### Impact\nThis is a cross-site scripting vulnerability relating to creating/editing a company which requires the user to be logged in as an administrator to be executed.\n\nThis vulnerability was reported by Dardan Prebreza at Bishop Fox.\n\n### Patches\nUpgrade to 3.2.4 or 2.16.5.\n\nLink to patch for 2.x versions: https://github.com/mautic/mautic/compare/2.16.4...2.16.5.diff\n\nLink to patch for 3.x versions: https://github.com/mautic/mautic/compare/3.2.2...3.2.4.diff\n\n### Workarounds\nNone\n\n### References\nhttps://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Post in https://forum.mautic.org/c/support\n* Email us at security@mautic.org","aliases":["CVE-2021-3142"],"modified":"2024-11-30T05:39:13.234035Z","published":"2021-01-29T20:51:20Z","database_specific":{"severity":"HIGH","nvd_published_at":"2021-01-28T06:15:00Z","github_reviewed":true,"cwe_ids":["CWE-79"],"github_reviewed_at":"2021-01-29T20:31:59Z"},"references":[{"type":"WEB","url":"https://github.com/mautic/mautic/security/advisories/GHSA-p7v4-gm6j-cw9m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3142"},{"type":"WEB","url":"https://github.com/mautic/mautic/commit/ba31db23e664f889da55a29ff27f797e2ab5cb1b"},{"type":"WEB","url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-3142.yaml"},{"type":"WEB","url":"https://github.com/mautic/mautic/releases/tag/3.2.4"},{"type":"WEB","url":"https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-3"},{"type":"WEB","url":"https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4"}],"affected":[{"package":{"name":"mautic/core","ecosystem":"Packagist","purl":"pkg:composer/mautic/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.0.0"},{"fixed":"3.2.4"}]}],"versions":["3.0.0","3.0.1","3.0.2","3.0.2-rc","3.1.0","3.1.0-rc","3.1.1","3.1.1-rc","3.1.2","3.1.2-rc","3.2.0","3.2.0-rc","3.2.1","3.2.2","3.2.2-rc","3.2.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-p7v4-gm6j-cw9m/GHSA-p7v4-gm6j-cw9m.json"}},{"package":{"name":"mautic/core","ecosystem":"Packagist","purl":"pkg:composer/mautic/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.16.5"}]}],"versions":["2.0.0","2.0.1","2.1.0","2.1.1","2.10.0","2.10.0-beta","2.10.1","2.11.0","2.11.0-beta","2.12.0","2.12.0-beta","2.12.1","2.12.1-beta","2.12.2","2.12.2-beta","2.13.0","2.13.0-beta","2.13.1","2.14.0","2.14.0-beta","2.14.1","2.14.1-beta","2.14.2","2.14.2-beta","2.15.0","2.15.0-beta","2.15.1","2.15.1-beta","2.15.2","2.15.2-beta","2.15.3","2.15.3-beta","2.16.0","2.16.0-beta","2.16.1","2.16.1-beta","2.16.2","2.16.2-beta","2.16.3","2.16.3-beta","2.16.4","2.2.0","2.2.1","2.3.0","2.4.0","2.5.0","2.5.1","2.6.0","2.6.1","2.7.0","2.7.1","2.8.0","2.8.1","2.8.2","2.9.0","2.9.0-beta","2.9.1","2.9.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-p7v4-gm6j-cw9m/GHSA-p7v4-gm6j-cw9m.json"}}],"schema_version":"1.7.3"}