Security Research & Advisories

Reflected Cross-Site Scripting (XSS) Vulnerability in Mautic v2.16.2

Product Mautic
Affected Version(s) 2.16.2 and probably prior
Tested Version(s) 2.16.2
Vendor Notification June 8, 2020
Advisory Publication June 8, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification June 8, 2020
CVE Identifier(s) Pending
Product Description Mautic enables brands to integrate and personalize all their digital properties and channels into a seamless customer experience. With it’s modern approach to marketing automation, Mautic’s suite of tools enables marketers to deliver higher performing campaigns and content, and achieve superior results.
Credits Min Thu Han, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Reflected Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 5.4 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The application Mautic is affected by a reflected Cross-Site Scripting (XSS) vulnerability affecting version 2.16.2 and probably prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.