Critical severity9.6NVD Advisory· Published Feb 9, 2021· Updated Jun 17, 2026
CVE-2020-35125
CVE-2020-35125
Description
A cross-site scripting (XSS) vulnerability in the forms component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mautic/corePackagist | < 2.16.5 | 2.16.5 |
mautic/corePackagist | >= 3.0.0, < 3.2.4 | 3.2.4 |
Affected products
2- Mautic/Mauticdescription
Patches
Vulnerability mechanics
References
8- github.com/mautic/mautic/security/advisories/GHSA-42q7-95j7-w62mnvdPatchThird Party AdvisoryWEB
- www.horizon3.ai/disclosures/mautic-unauth-xss-to-rcenvdExploitTechnical DescriptionThird Party AdvisoryWEB
- forum.mautic.org/c/announcements/16nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-42q7-95j7-w62mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35125ghsaADVISORY
- www.mautic.org/blog/community/security-release-all-versions-mautic-prior-2-16-5-and-3-2-4nvdRelease NotesVendor AdvisoryWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2020-35125.yamlghsaWEB
- packagist.org/packages/mautic/coreghsaWEB
News mentions
0No linked articles in our index yet.