VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 30, 2021· Updated Sep 16, 2024

XSS vulnerability on password reset page

CVE-2021-27909

Description

For Mautic versions prior to 3.3.4/4.0.0, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into clicking a password reset URL with the vulnerable parameter utilized.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mautic versions prior to 3.3.4/4.0.0 contain a reflected XSS vulnerability on the password reset page via the 'bundle' parameter.

Vulnerability

Mautic versions prior to 3.3.4 and 4.0.0 contain a reflected cross-site scripting (XSS) vulnerability on the password reset page. The bundle parameter in the URL is not sanitized before being used in a JavaScript context, allowing an attacker to inject arbitrary JavaScript code. [1][2]

Exploitation

An attacker must convince or trick the target user into clicking a crafted password reset URL that includes malicious JavaScript in the bundle parameter. No authentication is required, but user interaction is necessary. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session on the Mautic instance. This can lead to session hijacking, defacement, or theft of sensitive data. [2]

Mitigation

The vulnerability is fixed in Mautic versions 3.3.4 and 4.0.0. The fix sanitizes the bundle parameter using InputHelper::alphanum to remove dangerous characters. [3] Users should upgrade to the latest patched version immediately. No workarounds are available. [3][4]

References
  1. GitHub - mautic/mautic: Mautic: Open Source Marketing Automation Software.
  2. NVD - CVE-2021-27909
  3. Merge pull request from GHSA-32hw-3pvh-vcvc · mautic/mautic@942cb69
  4. security-advisories/mautic/core/CVE-2021-27909.yaml at master · FriendsOfPHP/security-advisories

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mautic/corePackagist
< 3.3.43.3.4
mautic/corePackagist
>= 4.0.0-alpha1, < 4.0.04.0.0

Affected products

2

Patches

1
942cb6992df6

Merge pull request from GHSA-32hw-3pvh-vcvc

https://github.com/mautic/mauticMohit AgheraAug 30, 2021via ghsa
commit
2 files changed · +36 2
  • app/bundles/CoreBundle/Controller/CommonController.php+2 2 modified
    @@ -184,7 +184,7 @@ public function delegateView($args)
             $args = [
                 'contentTemplate' => $args,
                 'passthroughVars' => [
-                    'mauticContent' => strtolower($this->request->get('bundle')),
+                    'mauticContent' => strtolower(InputHelper::alphanum($this->request->query->get('bundle'))),
                 ],
             ];
         }
@@ -201,7 +201,7 @@ public function delegateView($args)
             if (isset($args['passthroughVars']['mauticContent'])) {
                 $mauticContent = $args['passthroughVars']['mauticContent'];
             } else {
-                $mauticContent = strtolower($this->request->get('bundle'));
+                $mauticContent = strtolower(InputHelper::alphanum($this->request->query->get('bundle')));
             }
             $args['viewParameters']['mauticContent'] = $mauticContent;
         }
  • app/bundles/UserBundle/Tests/Functional/Controller/PublicControllerTest.php+34 0 added
    @@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * @copyright   2021 Mautic Contributors. All rights reserved
+ * @author      Mautic
+ *
+ * @link        http://mautic.org
+ *
+ * @license     GNU/GPLv3 http://www.gnu.org/licenses/gpl-3.0.html
+ */
+
+namespace Mautic\UserBundle\Tests\Functional\Controller;
+
+use Mautic\CoreBundle\Test\MauticMysqlTestCase;
+
+class PublicControllerTest extends MauticMysqlTestCase
+{
+    /**
+     * Tests to ensure that xss is prevented on password reset page.
+     */
+    public function testXssFilterOnPasswordReset(): void
+    {
+        $this->client->request('GET', '/passwordreset?bundle=%27-alert("XSS%20TEST%20Mautic")-%27');
+        $clientResponse = $this->client->getResponse();
+        $this->assertSame(200, $clientResponse->getStatusCode(), 'Return code must be 200.');
+        $responseData = $clientResponse->getContent();
+        // Tests that actual string is not present.
+        $this->assertStringNotContainsString('-alert("xss test mautic")-', $responseData, 'XSS injection attempt is filtered.');
+        // Tests that sanitized string is passed.
+        $this->assertStringContainsString('alertxsstestmautic', $responseData, 'XSS sanitized string is present.');
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.