Cross-site Scripting (XSS) - Stored in mautic/mautic

Valid

Reported on

Mar 7th 2022

Description

Email tracking pixel hits store the user agent of the browser / mail client that opens the email.
That user agens is not sanitised on input, but also not escaped on output in the template.
This allows anonymous users to store XSS payloads in the timeline on their contact page

Proof of Concept

1: create a contact
2: send an email to that contact via e.g. the send email action on the contact detail page
3: get the tracking hash by clicking on the mail sent action on the contact detail page (tracking hash is in the URL)
4: execute following command (adapt the tracking_hash)

curl -X POST -H 'user-agent: <script>alert("xss")</script>' http://mautic.local/email/<tracking_hash>.gif

5: go to the contact page of the created contact 4: you will see multiple alerts from the Email sent and Email read action types

Impact

Due to the stored XSS vulnerability, it's possible (depending on the payload and interaction from privileged users) to gain full control over the Mautic installation

We are processing your report and will contact the mautic team within 24 hours. a year ago

Ruth Cheesley

commented a year ago

Maintainer

Thanks for the report, we will review this and get back to you.

Ruth Cheesley validated this vulnerability a year ago

mollux has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the mautic team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the mautic team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the mautic team. This report is now considered stale. a year ago

Jamie Slome marked this as fixed in 4.3.0 with commit 462eb5 a year ago

mollux has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation