Miggo Logo

CVE-2022-25774: Mautic vulnerable to cross-site scripting in notifications via saving Dashboards

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.0436%
Published
4/12/2024
Updated
9/18/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mautic/corecomposer< 4.4.124.4.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the getNameFromRequest() method's lack of input sanitization. The commit diff shows the patched version adds InputHelper::clean() to sanitize the 'name' parameter, confirming this was the attack vector. Since this function directly handles user-controlled input used in dashboard notifications (a context where XSS would execute), and the patch specifically addresses this method, we can conclusively identify it as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Prior to t** p*t**** v*rsion, lo**** in us*rs o* M*uti* *r* vuln*r**l* to * s*l* XSS vuln*r**ility in t** noti*i**tions wit*in M*uti*. Us*rs *oul* inj**t m*li*ious *o** into t** noti*i**tion w**n s*vin* **s**o*r*s. ### P*t***s Up**t* to

Reasoning

T** vuln*r**ility st*ms *rom t** `**tN*m**romR*qu*st()` m*t*o*'s l**k o* input s*nitiz*tion. T** *ommit *i** s*ows t** p*t**** v*rsion ***s `Input**lp*r::*l**n()` to s*nitiz* t** 'n*m*' p*r*m*t*r, *on*irmin* t*is w*s t** *tt**k v**tor. Sin** t*is *un