CVE-2024-47050 - Vulnerability Details - OpenCVE

ReportizFlow

Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Acquia	Mautic

Configuration 1 [-]

OR	cpe:2.3:a:acquia:mautic::::::::
	cpe:2.3:a:acquia:mautic::::::::

No data.

References

Link	Providers
https://github.com/mautic/mautic/security/advisories/GHSA-73gr-32wg-qhh7

History

Fri, 27 Sep 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Acquia Acquia mautic
CPEs		cpe:2.3:a:acquia:mautic::::::::
Vendors & Products		Acquia Acquia mautic

Thu, 19 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Sep 2024 21:15:00 +0000

Type	Values Removed	Values Added
Description		Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.
Title		XSS in contact/company tracking (no authentication)
Weaknesses		CWE-79
References		https://github.com/mautic/mautic/security/advisories/GHSA-73gr-32wg-qhh7
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Mautic

Published: 2024-09-18T21:04:46.642Z

Updated: 2024-09-19T15:41:19.126Z

Reserved: 2024-09-17T13:41:00.584Z

Link: CVE-2024-47050

Vulnrichment

Updated: 2024-09-19T15:41:15.384Z

NVD

Status : Analyzed

Published: 2024-09-18T21:15:13.743

Modified: 2024-09-27T15:29:21.450

Link: CVE-2024-47050

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47050", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "state": "PUBLISHED", "assignerShortName": "Mautic", "dateReserved": "2024-09-17T13:41:00.584Z", "datePublished": "2024-09-18T21:04:46.642Z", "dateUpdated": "2024-09-19T15:41:19.126Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://packagist.org", "defaultStatus": "unaffected", "packageName": "mautic/core", "product": "Mautic", "repo": "https://github.com/mautic/mautic", "vendor": "Mautic", "versions": [{"lessThan": "< 4.4.13", "status": "affected", "version": ">= 2.6.0", "versionType": "semver"}, {"lessThan": "< 5.1.1", "status": "affected", "version": "> 5.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Mqrtin"}, {"lang": "en", "type": "remediation developer", "value": "Patryk Gruszka"}, {"lang": "en", "type": "remediation reviewer", "value": "Lenon Leite"}, {"lang": "en", "type": "remediation reviewer", "value": "John Linhart"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.<br>"}], "value": "Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2024-09-18T21:04:46.642Z"}, "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-73gr-32wg-qhh7"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 4.4.13 or 5.1.1 or higher."}], "value": "Update to 4.4.13 or 5.1.1 or higher."}], "source": {"advisory": "GHSA-73gr-32wg-qhh7", "discovery": "EXTERNAL"}, "title": "XSS in contact/company tracking (no authentication)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T15:41:10.814610Z", "id": "CVE-2024-47050", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T15:41:19.126Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47050", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T15:41:10.814610Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T15:41:15.384Z"}}], "cna": {"title": "XSS in contact/company tracking (no authentication)", "source": {"advisory": "GHSA-73gr-32wg-qhh7", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Mqrtin"}, {"lang": "en", "type": "remediation developer", "value": "Patryk Gruszka"}, {"lang": "en", "type": "remediation reviewer", "value": "Lenon Leite"}, {"lang": "en", "type": "remediation reviewer", "value": "John Linhart"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mautic/mautic", "vendor": "Mautic", "product": "Mautic", "versions": [{"status": "affected", "version": ">= 2.6.0", "lessThan": "< 4.4.13", "versionType": "semver"}, {"status": "affected", "version": "> 5.0.0", "lessThan": "< 5.1.1", "versionType": "semver"}], "packageName": "mautic/core", "collectionURL": "https://packagist.org", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to 4.4.13 or 5.1.1 or higher.", "supportingMedia": [{"type": "text/html", "value": "Update to 4.4.13 or 5.1.1 or higher.", "base64": false}]}], "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-73gr-32wg-qhh7"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.", "supportingMedia": [{"type": "text/html", "value": "Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2024-09-18T21:04:46.642Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47050", "state": "PUBLISHED", "dateUpdated": "2024-09-19T15:41:19.126Z", "dateReserved": "2024-09-17T13:41:00.584Z", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "datePublished": "2024-09-18T21:04:46.642Z", "assignerShortName": "Mautic"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE9F17BE-23A1-4088-9B04-27DE04CC756E", "versionEndExcluding": "4.4.13", "versionStartIncluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC060988-1D0C-4CB2-A052-A0BCCD236381", "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable."}, {"lang": "es", "value": "Antes de que se aplicara este parche, el seguimiento de Mautic era vulnerable a Cross-Site Scripting a trav\u00e9s de la variable Page URL."}], "id": "CVE-2024-47050", "lastModified": "2024-09-27T15:29:21.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-09-18T21:15:13.743", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-73gr-32wg-qhh7"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}