XSS vulnerability on password reset page
Package
Affected versions
< 3.3.4
>= 4.0.0-alpha1, < 4.0.0
Patched versions
3.3.4
4.0.0
Description
Published by the National Vulnerability Database
Aug 30, 2021
Reviewed
Aug 30, 2021
Published to the GitHub Advisory Database
Sep 1, 2021
Last updated
Feb 7, 2024
Impact
For Mautic versions prior to 3.3.4, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into clicking a password reset URL with the vulnerable parameter utilized.
Patches
Upgrade to 3.3.4 or 4.0.0
Workarounds
No
References
https://github.com/mautic/mautic/releases/tag/3.3.4
https://github.com/mautic/mautic/releases/tag/4.0.0
For more information
If you have any questions or comments about this advisory:
References