CVE-2020-35128
Description
Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mautic versions before 3.2.4 contain a stored XSS vulnerability allowing authenticated attackers with company management permissions to compromise other users, including administrators.
Vulnerability
Overview
CVE-2020-35128 is a stored cross-site scripting (XSS) vulnerability affecting Mautic, an open-source marketing automation platform, in versions prior to 3.2.4 [1][3]. The root cause lies in insufficient sanitization of user-supplied input in the company name field when managing companies. An authenticated attacker with permission to manage companies can inject malicious JavaScript payloads that are stored on the server and later executed in the browsers of other users who view the affected company data [4].
Exploitation
Prerequisites
Exploitation requires the attacker to have an authenticated session and be granted the 'manage companies' permission, a standard feature for certain Mautic user roles [4]. No additional privileges are needed beyond this access. The crafted payload can be introduced via the company name field during company creation or editing. Once stored, any user—including administrators—who loads the company list or detail page triggers the malicious script. The attacker could also load an externally crafted JavaScript file to bypass certain protections [3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to full account takeover: the attacker can change the victim's password, alter associated email addresses, or escalate privileges by creating a new administrator account [3][4]. Because administrators have elevated access, compromising an admin account could give the attacker full control over the Mautic instance.
Mitigation
The vulnerability is fixed in Mautic version 3.2.4, which was released on January 14, 2021 [4]. Users should upgrade immediately. No official workarounds were published, but administrators should review and restrict the 'manage companies' permission to only trusted users until upgrading is possible [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mautic/corePackagist | >= 3.2.0, < 3.2.4 | 3.2.4 |
mautic/corePackagist | >= 2.0.0, < 2.16.5 | 2.16.5 |
Affected products
2- Mautic/Mauticdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-98j2-3jv7-274mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-35128ghsaADVISORY
- forum.mautic.org/c/announcements/16ghsax_refsource_MISCWEB
- forum.mautic.org/t/security-release-for-all-versions-of-mautic-prior-to-2-16-5-and-3-2-4/17786ghsax_refsource_CONFIRMWEB
- labs.bishopfox.com/advisories/mautic-version-3.2.2ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.