Mautic SQL Injection Vulnerability in API Contact Filtering

A SQL injection vulnerability has been identified in Mautic's API contact filtering system, affecting versions 2.6.0 and later. This vulnerability arises from inadequate recursive sanitization of nested query parameters, allowing authenticated API users to bypass input filters and inject arbitrary SQL commands. Exploitation of this vulnerability could enable unauthorized access to sensitive database information, including user credentials, system configurations, and personal identifiable information (PII) of contacts.

Impact

Exploitation of this vulnerability allows authenticated users with API access to execute arbitrary SQL queries on the database. This could lead to unauthorized access to sensitive data, such as user credentials and personal information of contacts, bypassing normal data access permissions.

Remediation

Users are advised to upgrade to Mautic versions 7.1.2, 6.0.9, 5.2.11, or 4.4.20. If an immediate upgrade is not possible, API access can be temporarily disabled or restricted to trusted accounts.