CVE-2021-27908

Vulnerability

CVE-2021-27908 affects all versions of Mautic prior to 3.3.2. The root cause is that Mautic transforms configuration parameters into Symfony parameters and allows the use of Symfony parameter syntax (e.g., %mautic.db_password%) in free text fields of the configuration. These fields are then rendered in publicly accessible parts of the application, such as the analytics script field used on landing pages [1][2][3].

Exploitation

An authorized admin user with access to the configuration page can inject Symfony parameter references into one of these free text fields. For example, entering ` into the "Analytics script" field on the Landing Page Settings configuration page will cause the actual value of the mautic.db_password` parameter to be substituted and output when any landing page is visited [4]. No authentication beyond normal admin privileges is required, but the attacker must have administrative access to the Mautic instance.

Impact

An attacker who can perform this attack can exfiltrate secret configuration parameters, including database credentials (username, password, host), email server credentials, API keys, and other sensitive values stored in Symfony parameters. This could lead to complete compromise of the Mautic application and its associated data, as well as lateral movement to other systems that reuse those credentials [1][4].

Mitigation

The vendor has patched this vulnerability in Mautic version 3.3.2 by preventing Symfony parameter syntax from being evaluated in these configuration fields. Users should upgrade to 3.3.2 or later immediately. No workarounds are available [4]. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.