CVE-2021-27909

nvd nist nuclei

Published: Aug 30, 2021Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into clicking a password reset URL with the vulnerable parameter utilized.

Affected (4)

Products: Acquia: Mautic

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Acquia Mautic	Before 3.3.4
Acquia Mautic	Version 4.0.0 alpha1
Acquia Mautic	Version 4.0.0 beta
Acquia Mautic	Version 4.0.0 rc

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc

Source: security@mautic.org

PatchThird Party Advisory

https://github.com/mautic/mautic/security/advisories/GHSA-32hw-3pvh-vcvc

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.