CVE-2020-35125

The vulnerability is a cross-site scripting (XSS) flaw in the forms component of Mautic, an open-source marketing automation platform. The issue arises because the application improperly sanitizes the mautic[return] parameter, which is used to capture referrer information when a lead submits a form. An attacker can inject arbitrary JavaScript into this parameter, which is then stored and executed in the context of the Mautic application. This is distinct from CVE-2020-35124 but shares a similar attack vector related to the Referer header [1][4].

Exploitation does not require authentication; an unauthenticated attacker can craft a malicious link that includes a JavaScript payload in the mautic[return] parameter. When a lead (victim) clicks the link and submits a form, the payload is stored. The stored XSS can then be triggered when an administrator views the form submission data in the Mautic backend, leading to execution of the attacker's script in the admin's browser [1].

The impact is critical because the XSS can be chained with other vulnerabilities to achieve remote code execution. According to the Horizon3.ai disclosure, an attacker can leverage the stored XSS to steal admin session cookies or perform actions on behalf of an admin, ultimately gaining full control of the Mautic instance. This could lead to data exfiltration, server compromise, and further lateral movement [1].

The vulnerability is fixed in Mautic version 3.2.4. Users are strongly advised to update to the latest version. As of the disclosure, approximately 6,000 instances were found exposed via Shodan, highlighting the widespread risk. No workarounds are mentioned; upgrading is the recommended remediation [1][4].