Cross-site Scripting (XSS) - Stored in mautic/mautic
Jan 12th 2022
When installing Mautic (both via UI or CLI) the first and last name of the admin account are not sanitised before being stored in the database.
This results in a possible stored XSS possibility, as those fields are displayed and re-used without any sanitisation.
That method is used to:
- display the name in the the user's menu, see codebase
- display the name on the profile page of that user, see codebase
- persistently store the name as
createdByUservalue on every entity that uses the
FormEntityas base class ( e.g. segment, contact, form, campaign, ... ), see codebase
Because that name is stored on every entity, following issues occurs as side effect:
createdByUservalue is displayed without any sanitisation in a generic helper template, see codebase
- That template is used on the detail page of entities, e.g. on a campaign
Proof of Concept
- Install a vanilla Mautic 3 or 4 via UI or CLI, and use
<script>alert('XSS')</script>firstnameas admin first name in the install process.
- login to Mautic, and you will get the XSS alert
- create an entity in Mautic (a Segment, Contact, Form, ...)
- change your first name to remove the XSS part
- go to your profile, and the XSS alert is not present anymore
- go to the detail page of the entity you just created, and the XSS is still there
While this may look like a not so impactful issue (why would an admin add stored XSS to his own Mautic instance?), following scenario is possible:
- someone does the initial installation of Mautic for you, without any direct access to database or server.
- he and adds an XSS payload to his first or last name during install
- he creates content that will be generally used by other users in the Mautic installation, e.g general segments, forms, ...
- he changes the first and last name again so everything looks normal
- you reset the password and email address of that account to prevent access from the other party.
- every time you visit an entity the initial admin created, the XSS fires as the initial admin's name with XSS payload is still displayed