Primary

Context

Mautic Core Reflected Cross-Site Scripting Vulnerability in Lead Tagging

Vulnerability

Patched

A reflected cross-site scripting vulnerability has been identified in Mautic Core versions 4.4.0 prior to 4.4.17, 5.0.0-alpha through 5.2.8, and 6.0.0-alpha through 6.0.5. This vulnerability allows attackers to execute arbitrary JavaScript in the context of another user's session. It occurs in the 'Tags' input field on the '/s/ajax?action=lead:addLeadTags' endpoint. Although the server sanitizes input before storing it, the payload is executed immediately upon reflection, enabling session hijacking and other malicious actions.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute malicious JavaScript in the victim's browser, potentially leading to session hijacking, theft of sensitive data such as cookies, and unauthorized actions within the application.

Remediation

Users can upgrade to Mautic Core versions 4.4.17, 5.2.8, or 6.0.5 to address this vulnerability.

Added: Sep 3, 2025, 3:23 PM

Updated: Sep 3, 2025, 3:23 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.1

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.1

exploitability

5.2

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mautic Core Reflected Cross-Site Scripting Vulnerability in Lead Tagging

Vulnerability

Impact

Remediation

Affected Products

Mautic

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating