CVE-2020-35125
CVE-2020-35125
9.6
CriticalPublished:
Last updated:
Source:cve@mitre.org
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
A cross-site scripting (XSS) vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).
References
cve@mitre.org
https://forum.mautic.org/c/announcements/16cve@mitre.org
https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4af854a3a-2127-422b-91ae-364da2661108
https://forum.mautic.org/c/announcements/16af854a3a-2127-422b-91ae-364da2661108
https://github.com/mautic/mautic/security/advisories/GHSA-42q7-95j7-w62maf854a3a-2127-422b-91ae-364da2661108
https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rceaf854a3a-2127-422b-91ae-364da2661108
https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4