Cross-site Scripting (XSS) - Stored in mautic/mautic

Valid

Reported on

Mar 7th 2022


Description

Email tracking pixel hits store the user agent of the browser / mail client that opens the email.
That user agens is not sanitised on input, but also not escaped on output in the template.
This allows anonymous users to store XSS payloads in the timeline on their contact page

Proof of Concept

1: create a contact
2: send an email to that contact via e.g. the send email action on the contact detail page
3: get the tracking hash by clicking on the mail sent action on the contact detail page (tracking hash is in the URL)
4: execute following command (adapt the tracking_hash)

curl -X POST -H 'user-agent: <script>alert("xss")</script>' http://mautic.local/email/<tracking_hash>.gif

5: go to the contact page of the created contact 4: you will see multiple alerts from the Email sent and Email read action types

Impact

Due to the stored XSS vulnerability, it's possible (depending on the payload and interaction from privileged users) to gain full control over the Mautic installation

We are processing your report and will contact the mautic team within 24 hours. 4 months ago
Ruth Cheesley
4 months ago

Maintainer


Thanks for the report, we will review this and get back to you.

Ruth Cheesley validated this vulnerability 4 months ago
mollux has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the mautic team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the mautic team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the mautic team. This report is now considered stale. 3 months ago
Jamie Slome confirmed that a fix has been merged on 462eb5 19 days ago
mollux has been awarded the fix bounty
to join this conversation