CVE-2020-35128 — Mautic stored Cross-site Scripting (XSS)

Description

Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.

How to fix CVE-2020-35128

To remediate CVE-2020-35128, upgrade the affected package to a fixed version below.

—upgrade to 3.2.4 or later

Is CVE-2020-35128 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.2.0, < 3.2.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-35128
PATCHgithub.com/mautic/mautic
WEBforum.mautic.org/c/announcements/16
WEBforum.mautic.org/t/security-release-for-all-versions-of-mautic-prior-to-2-16-5-and-3-2-4/17786