Platform
php
Component
mautic/core
Fixed in
4.3.0
4.3.0
CVE-2022-25772 describes a critical Cross-Site Scripting (XSS) vulnerability present in Mautic Core versions up to and including 4.3.0-rc. This vulnerability arises from insufficient filtering of metadata associated with tracking pixels, allowing attackers to inject malicious scripts. Successful exploitation could lead to unauthorized access and control of user accounts. A patch is available in version 4.3.0.
The vulnerability lies in how Mautic handles tracking pixel metadata. Mautic uses tracking pixels to monitor email open rates, storing associated data. The flaw occurs because this metadata is not properly sanitized before being displayed, enabling an attacker to inject arbitrary JavaScript code. An attacker could craft a malicious tracking pixel request, embedding a script that executes in the context of a user's browser when they open an email tracked by Mautic. This could allow the attacker to steal session cookies, redirect users to phishing sites, or deface the Mautic instance. The potential impact is significant, ranging from individual account compromise to broader system-level attacks if the Mautic instance has administrative privileges.
CVE-2022-25772 was publicly disclosed on May 25, 2022. There is currently no indication of active exploitation in the wild, but the vulnerability's critical severity and ease of exploitation suggest it remains a significant risk. No public proof-of-concept (PoC) exploits have been widely released, but the vulnerability's nature makes it likely that such exploits will emerge. It is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
2.07% (84% percentile)
CVSS Vector
The primary and recommended mitigation for CVE-2022-25772 is to immediately upgrade Mautic Core to version 4.3.0 or later. This version includes the necessary fixes to properly sanitize tracking pixel metadata and prevent XSS attacks. Unfortunately, there are no known workarounds for this vulnerability beyond upgrading. Ensure that backups are performed before initiating the upgrade process to facilitate rollback if necessary. After upgrading, confirm the fix by sending a test email with a tracking pixel and verifying that the metadata display does not allow for script execution.
Actualice Mautic a la versión 4.3.0 o superior. Esta versión corrige la vulnerabilidad XSS en el componente de seguimiento web. La actualización se puede realizar a través del panel de administración de Mautic o descargando la última versión del sitio web oficial.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-25772 is a critical XSS vulnerability in Mautic Core versions up to 4.3.0-rc, allowing attackers to inject malicious scripts via tracking pixel metadata.
Yes, if you are running Mautic Core versions 4.3.0-rc or earlier, you are vulnerable to this XSS attack.
Upgrade Mautic Core to version 4.3.0 or later to patch the vulnerability. There are no known workarounds.
While there's no confirmed active exploitation, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the official Mautic security advisory at [[email protected]] for more information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.