Impact

This is a cross-site scripting vulnerability relating to creating/editing a company which requires the user to be logged in as an administrator to be executed.

This vulnerability was reported by Dardan Prebreza at Bishop Fox.

Patches

Upgrade to 3.2.4 or 2.16.5.

Link to patch for 2.x versions: https://github.com/mautic/mautic/compare/2.16.4...2.16.5.diff

Link to patch for 3.x versions: https://github.com/mautic/mautic/compare/3.2.2...3.2.4.diff

Workarounds

None

References

https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4

For more information

If you have any questions or comments about this advisory:

• Post in https://forum.mautic.org/c/support
• Email us at [email protected]

References

• GHSA-p7v4-gm6j-cw9m
• https://nvd.nist.gov/vuln/detail/CVE-2021-3142
• mautic/mautic@ba31db2
• https://github.com/mautic/mautic/releases/tag/3.2.4
• https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-3
• https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-3142.yaml
• https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4