Mautic Server-Side Request Forgery Vulnerability in Focus Component

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Mautic Focus component, specifically in versions 4.0.0 and later. This vulnerability arises from inadequate validation of user-supplied URLs, allowing authenticated users to initiate outbound HTTP requests from the server. Exploitation of this vulnerability could facilitate internal network reconnaissance or direct requests to arbitrary internal or external destinations.

Impact

Exploitation of this vulnerability allows authenticated users to perform internal network reconnaissance or mapping of firewalled infrastructure by probing internal ports or directing server-initiated requests to specific internal or external locations.

Remediation

Users are advised to upgrade to Mautic versions 7.1.2, 6.0.9, 5.2.11, or 4.4.20. For those on the Extended Long-Term Support (ELTS) plan, version 4.4.20 is recommended. If an immediate upgrade is not possible, consider disabling or limiting external network access from the Mautic web server to internal-only subnets or local hosts.