CVE-2024-47058 - Vulnerability Details - OpenCVE

With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00141.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Acquia	Mautic

Configuration 1 [-]

OR	cpe:2.3:a:acquia:mautic::::::::
	cpe:2.3:a:acquia:mautic::::::::

No data.

No data.

Fixes

Solution

Update to 4.4.13 or 5.1.1.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/mautic/mautic/security/advisories/GHSA-xv68-rrmw-9xwf

History

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.0012}`	epss `{'score': 0.00141}`

Fri, 27 Sep 2024 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Acquia Acquia mautic
CPEs		cpe:2.3:a:acquia:mautic::::::::
Vendors & Products		Acquia Acquia mautic

Thu, 19 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Sep 2024 21:15:00 +0000

Type	Values Removed	Values Added
Description		With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.
Title		Cross-site Scripting (XSS) - stored (edit form HTML field)
Weaknesses		CWE-79
References		https://github.com/mautic/mautic/security/advisories/GHSA-xv68-rrmw-9xwf
Metrics		cvssV3_1 `{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: Mautic

Published: 2024-09-18T21:00:28.950Z

Updated: 2024-09-19T15:42:11.246Z

Reserved: 2024-09-17T13:41:00.585Z

Link: CVE-2024-47058

Vulnrichment

Updated: 2024-09-19T15:42:08.169Z

NVD

Status : Analyzed

Published: 2024-09-18T21:15:13.923

Modified: 2024-09-27T15:31:30.917

Link: CVE-2024-47058

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47058", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "state": "PUBLISHED", "assignerShortName": "Mautic", "dateReserved": "2024-09-17T13:41:00.585Z", "datePublished": "2024-09-18T21:00:28.950Z", "dateUpdated": "2024-09-19T15:42:11.246Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://packagist.org", "defaultStatus": "unaffected", "packageName": "mautic/core", "product": "Mautic", "repo": "https://github.com/mautic/mautic", "vendor": "Mautic", "versions": [{"lessThan": "< 4.4.13", "status": "affected", "version": ">= 1.0.0", "versionType": "semver"}, {"lessThan": "< 5.1.1", "status": "affected", "version": ">= 5.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "MatisAct"}, {"lang": "en", "type": "remediation developer", "value": "Lenon Leite"}, {"lang": "en", "type": "remediation reviewer", "value": "John Linhart"}, {"lang": "en", "type": "remediation reviewer", "value": "Avikarsha Saha"}], "datePublic": "2024-09-18T20:28:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.<br>"}], "value": "With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2024-09-18T21:00:28.950Z"}, "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-xv68-rrmw-9xwf"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 4.4.13 or 5.1.1."}], "value": "Update to 4.4.13 or 5.1.1."}], "source": {"advisory": "GHSA-xv68-rrmw-9xwf", "discovery": "UNKNOWN"}, "title": "Cross-site Scripting (XSS) - stored (edit form HTML field)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T15:42:03.651742Z", "id": "CVE-2024-47058", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T15:42:11.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47058", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T15:42:03.651742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T15:42:08.169Z"}}], "cna": {"title": "Cross-site Scripting (XSS) - stored (edit form HTML field)", "source": {"advisory": "GHSA-xv68-rrmw-9xwf", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "MatisAct"}, {"lang": "en", "type": "remediation developer", "value": "Lenon Leite"}, {"lang": "en", "type": "remediation reviewer", "value": "John Linhart"}, {"lang": "en", "type": "remediation reviewer", "value": "Avikarsha Saha"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mautic/mautic", "vendor": "Mautic", "product": "Mautic", "versions": [{"status": "affected", "version": ">= 1.0.0", "lessThan": "< 4.4.13", "versionType": "semver"}, {"status": "affected", "version": ">= 5.0.0", "lessThan": "< 5.1.1", "versionType": "semver"}], "packageName": "mautic/core", "collectionURL": "https://packagist.org", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to 4.4.13 or 5.1.1.", "supportingMedia": [{"type": "text/html", "value": "Update to 4.4.13 or 5.1.1.", "base64": false}]}], "datePublic": "2024-09-18T20:28:00.000Z", "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-xv68-rrmw-9xwf"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.", "supportingMedia": [{"type": "text/html", "value": "With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2024-09-18T21:00:28.950Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47058", "state": "PUBLISHED", "dateUpdated": "2024-09-19T15:42:11.246Z", "dateReserved": "2024-09-17T13:41:00.585Z", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "datePublished": "2024-09-18T21:00:28.950Z", "assignerShortName": "Mautic"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6555B3F-97C3-4192-BB29-BEDD3C63C4AB", "versionEndExcluding": "4.4.13", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC060988-1D0C-4CB2-A052-A0BCCD236381", "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session."}, {"lang": "es", "value": "Con acceso para editar un formulario de Mautic, el atacante puede agregar Cross-Site Scripting Almacenado en el archivo html. Esto podr\u00eda usarse para robar informaci\u00f3n confidencial de la sesi\u00f3n actual del usuario."}], "id": "CVE-2024-47058", "lastModified": "2024-09-27T15:31:30.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 2.5, "source": "security@mautic.org", "type": "Secondary"}]}, "published": "2024-09-18T21:15:13.923", "references": [{"source": "security@mautic.org", "tags": ["Vendor Advisory"], "url": "https://github.com/mautic/mautic/security/advisories/GHSA-xv68-rrmw-9xwf"}], "sourceIdentifier": "security@mautic.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@mautic.org", "type": "Secondary"}]}