CVE-2020-35128 – CVE-2020-35128 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2020-35128?

CVE-2020-35128 has a CVSS score of 9.0 (CRITICAL). CVE-2020-35128 is a stored cross-site scripting (XSS) vulnerability in Mautic that allows attackers with company management permissions to inject malicious scripts, potentially compromising other users, including administrators. This can lead to unauthorized actions such as password changes, email alterations, or adding new administrators. Users of Mautic versions before 3.2.4 are affected.

📋 TL;DR

CVE-2020-35128 is a stored cross-site scripting (XSS) vulnerability in Mautic that allows attackers with company management permissions to inject malicious scripts, potentially compromising other users, including administrators. This can lead to unauthorized actions such as password changes, email alterations, or adding new administrators. Users of Mautic versions before 3.2.4 are affected.

💻 Affected Systems

Products:

Mautic

Versions: All versions prior to 3.2.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have permissions to manage companies; default configurations may grant such permissions to certain user roles.

📦 What is this software?

Mautic by Acquia

View all CVEs affecting Mautic →

Mautic by Acquia

View all CVEs affecting Mautic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full administrative control, modifies user credentials, adds new admins, and potentially takes over the entire Mautic instance, leading to data breaches or system compromise.

🟠

Likely Case

Attackers with existing low-level permissions exploit the vulnerability to escalate privileges, perform unauthorized actions on user accounts, and steal sensitive data.

🟢

If Mitigated

With strict access controls and input validation, impact is limited to isolated user account tampering without full system takeover.

🌐 Internet-Facing: HIGH, as Mautic instances exposed to the internet are directly accessible to attackers, increasing exploitation likelihood.

🏢 Internal Only: MEDIUM, as internal attackers with necessary permissions could still exploit it, but external access is restricted.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with company management privileges; public advisories and proof-of-concepts are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.4

Vendor Advisory: https://forum.mautic.org/t/security-release-for-all-versions-of-mautic-prior-to-2-16-5-and-3-2-4/17786

Restart Required: No

Instructions:

1. Backup your Mautic instance. 2. Update Mautic to version 3.2.4 or later via the admin panel or manual upgrade. 3. Verify the update by checking the version in the admin interface.

🔧 Temporary Workarounds

Restrict Company Management Permissions

all

Limit access to company management features to trusted administrators only to reduce attack surface.

Implement Content Security Policy (CSP)

linux

Deploy a CSP to block external script execution, mitigating XSS attacks.

Add 'Content-Security-Policy' header in web server configuration, e.g., for Apache: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
For Nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';";

🧯 If You Can't Patch

Isolate the Mautic instance in a segmented network to limit access and potential lateral movement.
Monitor and audit user activities, especially company management actions, for suspicious behavior.

🔍 How to Verify

Check if Vulnerable:

Check the Mautic version in the admin panel under 'System Info' or via the database; if version is below 3.2.4, it is vulnerable.

Check Version:

In Mautic admin, navigate to System Info or run: grep -i 'version' /path/to/mautic/app/config/parameters.php (if file exists)

Verify Fix Applied:

After updating, confirm the version is 3.2.4 or higher in the admin panel and test company management features for XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual company management activities, such as frequent edits or script injections in company fields
HTTP requests with suspicious JavaScript payloads in parameters

Network Indicators:

Outbound connections to external domains from Mautic instance, potentially loading malicious scripts

SIEM Query:

Example: source="mautic_logs" AND (event="company_edit" OR event="company_create") AND (message="*script*" OR message="*javascript*")

📊 Metadata

CVE ID: CVE-2020-35128

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: January 19, 2021

Last Updated: November 21, 2024

🔗 References

https://forum.mautic.org/c/announcements/16 Vendor Advisory
https://forum.mautic.org/t/security-release-for-all-versions-of-mautic-prior-to-2-16-5-and-3-2-4/17786 Exploit,Vendor Advisory
https://labs.bishopfox.com/advisories/mautic-version-3.2.2 Third Party Advisory
https://forum.mautic.org/c/announcements/16 Vendor Advisory
https://forum.mautic.org/t/security-release-for-all-versions-of-mautic-prior-to-2-16-5-and-3-2-4/17786 Exploit,Vendor Advisory
https://labs.bishopfox.com/advisories/mautic-version-3.2.2 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35128, you might also want to check these: