Mautic Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A Server-Side Template Injection (SSTI) vulnerability has been identified in Mautic's theme engine, affecting versions through 1.3.0. The vulnerability arises because the platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with the ability to create or upload themes can exploit this flaw to execute arbitrary code on the hosting server, leading to remote code execution, or to access restricted system files and configuration settings.

Impact

Exploitation of this vulnerability allows authenticated users with theme upload and creation privileges to execute arbitrary code on the server or access sensitive system files and configuration settings.

Remediation

Users are advised to upgrade to Mautic versions 7.1.2, 6.0.9, 5.2.11, or 4.4.20. For those on Mautic 4.x, the fix is available through the Extended Long-Term Support (ELTS) program. If an immediate upgrade is not possible, restrict theme upload and creation permissions to trusted administrators.