8.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-27911

GHSA ID

GHSA-72hm-fx78-xwhc

EPSS Score

0.56975%

CWE

CWE-79

Published

9/1/2021

Updated

2/7/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-27911

CVE-2021-27911: XSS vulnerability on contacts view

Impact

Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populated from different sources such as UI, API, 3rd party syncing, forms, etc.

Patches

Upgrade to 3.3.4 or 4.0.0

Workarounds

References

https://github.com/mautic/mautic/releases/tag/3.3.4 https://github.com/mautic/mautic/releases/tag/4.0.0

For more information

If you have any questions or comments about this advisory:

Email us at security@mautic.org

(GitHub Advisory)

8.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-27911

GHSA ID

GHSA-72hm-fx78-xwhc

EPSS Score

0.56975%

CWE

CWE-79

Published

9/1/2021

Updated

2/7/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mautic/core	composer	< 3.3.4	3.3.4
mautic/core	composer	>= 4.0.0-alpha1, < 4.0.0	4.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped contact names being rendered in JavaScript contexts. Key indicators:

The attack triggers via hover interaction with campaign buttons, suggesting inline JS event handlers
First/last names are user-controlled inputs from multiple sources
XSS occurs despite standard HTML escaping because the payload exists in JS context
The patch versions (3.3.4/4.0.0) likely added JS-specific escaping in template rendering

While exact code isn't available, Mautic's architecture suggests:

DynamicContentExtension handles content rendering
LeadController's view action prepares contact data These components would be responsible for properly escaping outputs in different contexts. The high confidence for DynamicContentExtension comes from its direct role in content rendering, while the controller gets medium confidence as the data source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t M*uti* v*rsions ***or* *.*.*/*.*.* *r* vuln*r**l* to *n inlin* JS XSS *tt**k t*rou** t** *ont**t's *irst or l*st n*m* *n* tri***r** w**n vi*win* * *ont**t's **t*ils p*** t**n *li*kin* on t** **tion *rop *own *n* *ov*rin* ov*r t** **mp*i*ns

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *ont**t n*m*s **in* r*n**r** in J*v*S*ript *ont*xts. K*y in*i**tors: *. T** *tt**k tri***rs vi* *ov*r int*r**tion wit* **mp*i*n *uttons, su***stin* inlin* JS *v*nt **n*l*rs *. *irst/l*st n*m*s *r* us*r-*ontroll*

8.4

Basic Information

Concerned about an active attack path?

CVE-2021-27911: XSS vulnerability on contacts view

Impact

Patches

Workarounds

References

For more information

8.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI