Miggo Logo

CVE-2021-27908: Mautic vulnerable to secret data exfiltration via symfony parameters

5.8

CVSS Score
3.1

Basic Information

EPSS Score
0.30054%
Published
4/6/2021
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
mautic/corecomposer< 3.3.23.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key mechanisms: 1) The configuration system's parameter merging that accepts untrusted input containing parameter references, and 2) The template rendering system that resolves these references in public-facing contexts. The Configurator::mergeParameters function is vulnerable because it allows parameter injection through user-controlled fields. The TwigExtension::getParameter method is vulnerable because it enables parameter resolution in templates without proper access controls. Together, these functions create a chain that allows admin users to exfiltrate secrets through parameter interpolation in public outputs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Sym*ony p*r*m*t*rs (w*i** is w**t M*uti* tr*ns*orms *on*i*ur*tion p*r*m*t*rs into) **n ** us** wit*in ot**r Sym*ony p*r*m*t*rs *y **si*n. *ow*v*r, t*is *lso m**ns t**t *n **min w*o is norm*lly not privy to **rt*in p*r*m*t*rs, su** *s **t**

Reasoning

T** vuln*r**ility st*ms *rom two k*y m****nisms: *) T** *on*i*ur*tion syst*m's p*r*m*t*r m*r*in* t**t ****pts untrust** input *ont*inin* p*r*m*t*r r***r*n**s, *n* *) T** t*mpl*t* r*n**rin* syst*m t**t r*solv*s t**s* r***r*n**s in pu*li*-***in* *ont*x