VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 18, 2018· Updated Aug 5, 2024

CVE-2018-8071

CVE-2018-8071

Description

Mautic before v2.13.0 has stored XSS via a theme config file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mautic before 2.13.0 stores a reflected XSS vulnerability in theme config files, allowing arbitrary JavaScript execution in the admin UI.

Vulnerability

CVE-2018-8071 is a stored cross-site scripting (XSS) vulnerability in Mautic versions prior to 2.13.0. The vulnerability resides in the theme configuration file handling within the app/bundles/CoreBundle/Views/Theme template. The application fails to escape user-controlled values such as the theme name ($item['name']), theme key ($item['key']), and author name ($item['config']['author']) when rendering the theme management page, allowing an attacker to inject arbitrary HTML and JavaScript into the admin interface [1] [2]. The fix introduced in version 2.13.0 applies the escape() filter (\(view->escape()) to these fields [2].

Exploitation

An attacker with the ability to upload or modify a theme config file (e.g., a user with administrative privileges to manage themes) can craft a malicious theme configuration containing JavaScript payloads in the theme name, key, or author fields. When the theme management page is rendered in the browser, the unsanitized input executes in the context of the victim's session. No special network position or additional user interaction is required beyond the victim admin viewing the themes list [1] [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session, leading to potential data exfiltration, session hijacking, or administrative actions on behalf of the victim. Since the vulnerability is stored, the malicious script persists until the theme is removed or patched [1].

Mitigation

The vulnerability is fixed in Mautic version 2.13.0, released in April 2018 [1]. Users should upgrade to 2.13.0 or later immediately. No known workarounds are documented for earlier versions. The fix applies escaping to all user-controlled fields in the theme template, as shown in commit 3add236 [2].

References
  1. Release 2.13.0 · mautic/mautic
  2. Merge remote-tracking branch 'security/master.config-xss-2018-03-13' · mautic/mautic@3add236

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mautic/corePackagist
< 2.13.02.13.0

Affected products

1

Patches

1
3add236e9cc0

Merge remote-tracking branch 'security/master.config-xss-2018-03-13'

https://github.com/mautic/mauticAlan HartlessApr 17, 2018via ghsa
commit
1 file changed · +5 5
  • app/bundles/CoreBundle/Views/Theme/list.html.php+5 5 modified
    @@ -107,7 +107,7 @@
                                         <div class="modal-header">
                                             <button type="button" class="close" data-dismiss="modal" aria-label="Close">
                                                 <span aria-hidden="true">&times;</span></button>
-                                            <h4 class="modal-title" id="<?php echo $k; ?>"><?php echo $item['name']; ?></h4>
+                                            <h4 class="modal-title" id="<?php echo $k; ?>"><?php echo $view->escape($item['name']); ?></h4>
                                         </div>
                                         <div class="modal-body">
                                             <div style="background-image: url(<?php echo $thumbnailUrl ?>);background-repeat:no-repeat;background-size:contain; background-position:center; width: 100%; height: 600px"></div>
@@ -119,17 +119,17 @@
                     </td>
                     <td>
                         <div>
-                            <?php echo $item['name']; ?> (<?php echo $item['key']; ?>)
+                            <?php echo $view->escape($item['name']); ?> (<?php echo $view->escape($item['key']); ?>)
                         </div>
                     </td>
                     <td>
                         <div>
                             <?php if (isset($item['config']['authorUrl'])) : ?>
                                 <a href="<?php echo $item['config']['authorUrl']; ?>" target="_blank">
-                                    <?php echo $item['config']['author']; ?>
+                                    <?php echo $view->escape($item['config']['author']); ?>
                                 </a>
                             <?php elseif (isset($item['config']['author'])) : ?>
-                                <?php echo $item['config']['author']; ?>
+                                <?php echo $view->escape($item['config']['author']); ?>
                             <?php endif; ?>
                         </div>
                     </td>
@@ -138,7 +138,7 @@
                             <?php foreach ($item['config']['features'] as $feature) : ?>
                                 <span style="white-space: nowrap;">
                                     <span class="label label-default pa-4">
-                                        <?php echo $view['translator']->trans('mautic.core.theme.feature.'.$feature); ?>
+                                        <?php echo $view['translator']->trans('mautic.core.theme.feature.'.$view->escape($feature)); ?>
                                     </span>
                                 </span>
                             <?php endforeach; ?>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.