CVE-2020-35124 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2020-35124?

CVE-2020-35124 has a CVSS score of 9.6 (CRITICAL). This cross-site scripting (XSS) vulnerability in Mautic allows attackers to inject malicious JavaScript via the Referer header when downloading assets. Successful exploitation enables session hijacking, credential theft, and potentially remote code execution. All Mautic instances before versions 2.16.5 and 3.2.4 are affected.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in Mautic allows attackers to inject malicious JavaScript via the Referer header when downloading assets. Successful exploitation enables session hijacking, credential theft, and potentially remote code execution. All Mautic instances before versions 2.16.5 and 3.2.4 are affected.

💻 Affected Systems

Products:

Mautic

Versions: All versions before 2.16.5 and 3.2.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the assets component and requires asset download functionality to be accessible.

📦 What is this software?

Mautic by Acquia

View all CVEs affecting Mautic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers achieve remote code execution through XSS-to-RCE chain, gaining full control of the Mautic server and potentially pivoting to internal networks.

🟠

Likely Case

Attackers steal administrator session cookies, hijack accounts, deface websites, or redirect users to malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payload is neutralized, preventing script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and has been weaponized in real attacks. The XSS can be chained with other vulnerabilities for RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.16.5 or 3.2.4

Vendor Advisory: https://github.com/mautic/mautic/security/advisories/GHSA-39wj-j3jc-858m

Restart Required: No

Instructions:

1. Backup your Mautic installation and database. 2. Update to Mautic 2.16.5 (for 2.x branch) or 3.2.4 (for 3.x branch). 3. Verify the update completed successfully. 4. Clear application caches if applicable.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rule

all

Block malicious Referer headers containing JavaScript patterns

Input Validation Filter

all

Implement server-side filtering of Referer headers to remove script tags and JavaScript URIs

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline script execution
Restrict access to asset download functionality to authenticated users only

🔍 How to Verify

Check if Vulnerable:

Check Mautic version via admin panel or by examining the application files. Versions below 2.16.5 (for 2.x) or 3.2.4 (for 3.x) are vulnerable.

Check Version:

Check Mautic version in admin panel at /s/dashboard or examine app/version.txt file

Verify Fix Applied:

After patching, test by attempting to inject JavaScript via Referer header during asset download. The payload should be properly sanitized and not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual Referer headers containing JavaScript code in asset download requests
Multiple failed login attempts from new locations after asset downloads

Network Indicators:

HTTP requests with JavaScript payloads in Referer headers to asset endpoints
Outbound connections to suspicious domains after asset downloads

SIEM Query:

source="mautic_logs" AND (referer="*javascript:*" OR referer="*<script>*") AND uri="*/asset/*"

📊 Metadata

CVE ID: CVE-2020-35124

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: January 28, 2021

Last Updated: November 21, 2024

🔗 References

https://forum.mautic.org/c/announcements/16 Vendor Advisory
https://github.com/mautic/mautic/security/advisories/GHSA-39wj-j3jc-858m Third Party Advisory
https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rce Third Party Advisory
https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4 Release Notes,Third Party Advisory
https://forum.mautic.org/c/announcements/16 Vendor Advisory
https://github.com/mautic/mautic/security/advisories/GHSA-39wj-j3jc-858m Third Party Advisory
https://www.horizon3.ai/disclosures/mautic-unauth-xss-to-rce Third Party Advisory
https://www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4 Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35124, you might also want to check these: