### Impact
With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.

### Patches
Upgrade to 4.4.13 or 5.1.1 or later.

### Workarounds
None

### References
- https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting

If you have any questions or comments about this advisory:

Email us at [[email protected]](mailto:[email protected])

Affected Packages

Packagist mautic/core

Affected versions: 5.0.0-alpha (fixed in 5.1.1)

Packagist mautic/core

Affected versions: 1.0.0-beta (fixed in 4.4.13)

Packagist mautic/core-lib

Affected versions: 5.0.0-alpha (fixed in 5.1.1)

Packagist mautic/core-lib

Affected versions: 1.0.0-beta (fixed in 4.4.13)

Related CVEs

CVE-2024-47058

Key Information

GHSA ID

GHSA-xv68-rrmw-9xwf

Published

September 18, 2024 10:05 PM

Last Modified

September 27, 2024 7:34 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

mautic/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.