CVE-2021-27912

Description

### Impact Mautic versions before 3.3.4 / 4.0.0 are vulnerable to an inline JS XSS attack when viewing Mautic assets by utilizing inline JS in the title and adding a broken image URL as a remote asset. This can only be leveraged by an authenticated user with permission to create or edit assets. ### Patches Upgrade to 3.3.4 or 4.0.0 ### Workarounds No ### References https://github.com/mautic/mautic/releases/tag/3.3.4 https://github.com/mautic/mautic/releases/tag/4.0.0 ### For more information If you have any questions or comments about this advisory: * Email us at [security@mautic.org](mailto:security@mautic.org)

How to fix CVE-2021-27912

To remediate CVE-2021-27912, upgrade the affected package to a fixed version below.

• —upgrade to 3.3.4 or later

Is CVE-2021-27912 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.3.4

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-27912
• PATCHgithub.com/mautic/mautic
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27912.yaml
• WEBgithub.com/mautic/mautic/security/advisories/GHSA-rh5w-82wh-jhr8