mautic/core Security Advisories for 2.14.0-beta (25)
-
[MEDIUM] Mautic allows Relative Path Traversal in assets file upload
PKSA-r9y9-cx91-ppbj CVE-2022-25773 GHSA-4w2w-36vm-c8hf
Affected version: <5.2.3
Reported by:
GitHub -
[HIGH] Mautic allows Improper Authorization in Reporting API
PKSA-d6g7-gn2x-xxxs CVE-2024-47053 GHSA-8xv7-g2q3-fqgc
Affected version: >=1.0.1,<5.2.3
Reported by:
GitHub -
[CRITICAL] Mautic allows Remote Code Execution and File Deletion in Asset Uploads
PKSA-r8cy-ghyg-685v CVE-2024-47051 GHSA-73gx-x7r9-77x2
Affected version: <5.2.3
Reported by:
GitHub -
[MEDIUM] Mautic has insufficient authentication in upgrade flow
PKSA-zrpx-tjt4-ctvz CVE-2022-25770 GHSA-qf6m-6m4g-rmrc
Affected version: >=5.0.0-alpha,<5.1.1|>=1.0.0-beta3,<4.4.13
Reported by:
GitHub -
[MEDIUM] Mautic has an XSS in contact tracking and page hits report
PKSA-39c1-mjv2-cwmh CVE-2021-27917 GHSA-xpc5-rr39-v8v2
Affected version: >=5.0.0-alpha,<5.1.1|>=1.0.0-beta4,<4.4.13
Reported by:
GitHub -
[MEDIUM] Mautic vulnerable to XSS in contact/company tracking (no authentication)
PKSA-x4f7-yvw2-qxkj CVE-2024-47050 GHSA-73gr-32wg-qhh7
Affected version: >=5.0.0-alpha,<5.1.1|>=2.6.0,<4.4.13
Reported by:
GitHub -
[MEDIUM] Mautic vulnerable to Cross-site Scripting (XSS) - stored (edit form HTML field)
PKSA-zw3g-4t7k-356g CVE-2024-47058 GHSA-xv68-rrmw-9xwf
Affected version: >=1.0.0-beta,<4.4.13|>=5.0.0-alpha,<5.1.1
Reported by:
GitHub -
[HIGH] Mautic vulnerable to Improper Access Control in UI upgrade process
PKSA-1qjd-2pbn-b37d CVE-2022-25768 GHSA-x3jx-5w6m-q2fc
Affected version: >=5.0.0-alpha,<5.1.1|>=1.1.3,<4.4.13
Reported by:
GitHub -
[MEDIUM] Mautic: MST-48 Server-Side Request Forgery in Asset section
PKSA-qbyg-mfvh-bykw CVE-2022-25777 GHSA-mgv8-w49f-822w
Affected version: >=5.0.0-alpha,<5.0.4|>=1.0.0-beta4,<4.4.12
Reported by:
GitHub -
[HIGH] Mautic Sensitive Data Exposure due to inadequate user permission settings
PKSA-h1nj-n1bm-2hgs CVE-2022-25776 GHSA-qjx3-2g35-6hv8
Affected version: >=5.0.0-alpha,<5.0.4|>=1.0.2,<4.4.12
Reported by:
GitHub -
[MEDIUM] Mautic vulnerable to cross-site scripting in notifications via saving Dashboards
PKSA-47j7-7fkf-jb1b CVE-2022-25774 GHSA-fhcx-f7jg-jx3f
Affected version: <4.4.12
Reported by:
GitHub -
[HIGH] Mautic vulnerable to stored cross-site scripting in description field
PKSA-y6pk-4xsd-p383 CVE-2021-27915 GHSA-2rc5-2755-v422
Affected version: >=1.0.0-beta2,<4.4.12
Reported by:
GitHub -
[CRITICAL] Cross-site Scripting vulnerability in Mautic's tracking pixel functionality
PKSA-srsk-dycm-5jdh CVE-2022-25772 GHSA-pjpc-87mp-4332
Affected version: <4.3.0
Reported by:
GitHub -
[CRITICAL] Mautic stored Cross-site Scripting (XSS)
PKSA-b7h2-7psv-6msq CVE-2020-35129 GHSA-3px5-wjh3-9x6r
Affected version: <3.2.4
Reported by:
GitHub -
[CRITICAL] Mautic stored Cross-site Scripting (XSS)
PKSA-36ht-xbvy-shxt CVE-2020-35128 GHSA-98j2-3jv7-274m
Affected version: >=2.0.0,<2.16.5|>=3.2.0,<3.2.4
Reported by:
GitHub -
[MEDIUM] Improper regex in htaccess file
PKSA-hj5d-wswk-kw69 CVE-2022-25769 GHSA-mj6m-246h-9w56
Affected version: >=4.0.0,<4.2.0|<3.3.5
Reported by:
GitHub -
[HIGH] XSS vulnerability on asset view
PKSA-p6sq-9ppy-k1f8 CVE-2021-27912 GHSA-rh5w-82wh-jhr8
Affected version: <4.0.0|>=3.3.0,<3.3.4|>=3.2.0,<3.3.0|>=3.1.0,<3.2.0|>=3.0.0,<3.1.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[LOW] Use of a Broken or Risky Cryptographic Algorithm
PKSA-fcy2-ts5y-y8xc CVE-2021-27913 GHSA-x7g2-wrrp-r6h3
Affected version: <4.0.0|>=3.3.0,<3.3.4|>=3.2.0,<3.3.0|>=3.1.0,<3.2.0|>=3.0.0,<3.1.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] XSS vulnerability on contacts view
PKSA-ykqx-7zqg-n9bn CVE-2021-27911 GHSA-72hm-fx78-xwhc
Affected version: <4.0.0|>=3.3.0,<3.3.4|>=3.2.0,<3.3.0|>=3.1.0,<3.2.0|>=3.0.0,<3.1.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Stored XSS vulnerability on Bounce Management Callback
PKSA-dh3n-xcj8-kwbq CVE-2021-27910 GHSA-86pv-95mj-7w5f
Affected version: <4.0.0|>=3.3.0,<3.3.4|>=3.2.0,<3.3.0|>=3.1.0,<3.2.0|>=3.0.0,<3.1.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] XSS vulnerability on password reset page
PKSA-rqyb-wvf2-m87b CVE-2021-27909 GHSA-32hw-3pvh-vcvc
Affected version: <4.0.0|>=3.3.0,<3.3.4|>=3.2.0,<3.3.0|>=3.1.0,<3.2.0|>=3.0.0,<3.1.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[MEDIUM] Secret data exfiltration via symfony parameters
PKSA-ftms-7tmx-dwmz CVE-2021-27908 GHSA-4hjq-422q-4vpx
Affected version: >=3.3.0,<3.3.2|>=3.2.0,<3.3.0|>=3.1.0,<3.2.0|<3.1.0
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[HIGH] Mautic core - Moderately Critical - XSS vulnerability when creating/editing a company
PKSA-cjzg-6rfp-qkfk CVE-2021-3142 GHSA-p7v4-gm6j-cw9m
Affected version: >=3.2.0,<3.2.4|>=3.1.0,<3.2.0|>=3.0.0,<3.1.0|>=2.0.0,<2.16.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] Mautic core - Highly Critical - XSS vulnerability leveraged through referrers could allow un-authorized admin access
PKSA-ysg5-6d2n-7swq CVE-2020-35125 GHSA-42q7-95j7-w62m
Affected version: >=3.2.0,<3.2.4|>=3.1.0,<3.2.0|>=3.0.0,<3.1.0|>=2.0.0,<2.16.5
Reported by:
GitHub, FriendsOfPHP/security-advisories -
[CRITICAL] Mautic core - Highly Critical - XSS vulnerability leveraged through referrers could allow un-authorized admin access
PKSA-d4dv-g651-gm2b CVE-2020-35124 GHSA-39wj-j3jc-858m
Affected version: >=3.2.0,<3.2.4|>=3.1.0,<3.2.0|>=3.0.0,<3.1.0|>=2.0.0,<2.16.5
Reported by:
GitHub, FriendsOfPHP/security-advisories