Moderate severityNVD Advisory· Published Sep 18, 2024· Updated Sep 19, 2024

Cross-site Scripting (XSS) - stored (edit form HTML field)

CVE-2024-47058

Description

With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mautic stored XSS in form HTML fields allows attackers with edit access to inject malicious scripts, potentially stealing session data.

Overview

CVE-2024-47058 describes a stored Cross-Site Scripting (XSS) vulnerability in Mautic, an open-source marketing automation platform. An attacker with permission to edit a Mautic form can inject malicious HTML or JavaScript code into the form's HTML content field. This code is then stored and executed when other users view or interact with the affected form, as the application does not properly sanitize input in that field.

Exploitation

The attack requires an authenticated user who has been granted the privilege to edit forms. No additional user interaction is needed for the stored payload to execute; any user who visits the compromised form will trigger the script. The vulnerability resides in the lack of output encoding or removal of dangerous attributes (such as event handlers starting with 'on' or 'javascript:') in the form's HTML field [4]. The attacker can craft input that bypasses weak filters, leading to persistent script execution.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can be used to steal sensitive information, such as session cookies or authentication tokens, potentially leading to account takeover. The CVSS 4.0 vector (not yet provided by NVD) likely reflects high confidentiality impact due to data exfiltration [2].

Mitigation

The Mautic project has released a security advisory [3] and a patch commit [4] that introduces a new Twig function cleanInputAttributes to strip out dangerous attributes (like event handlers) and apply HTML entity encoding. Users should upgrade to a patched version as soon as possible. No workaround is provided; limiting form-editing privileges to trusted users can reduce risk but does not fix the underlying issue.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mautic/corePackagist	>= 5.0.0-alpha, < 5.1.1	5.1.1
mautic/corePackagist	>= 1.0.0-beta, < 4.4.13	4.4.13
mautic/core-libPackagist	>= 5.0.0-alpha, < 5.1.1	5.1.1
mautic/core-libPackagist	>= 1.0.0-beta, < 4.4.13	4.4.13

Affected products

ghsa-coords2 versions
pkg:composer/mautic/core pkg:composer/mautic/core-lib
>= 5.0.0-alpha, < 5.1.1+ 1 more
- (no CPE)range: >= 5.0.0-alpha, < 5.1.1
- (no CPE)range: >= 5.0.0-alpha, < 5.1.1
Mautic/Mauticv5
Range: >= 1.0.0

Patches

344b908ef690

Merge remote-tracking branch 'security/mst35-50' into 5.1

https://github.com/mautic/mauticJohn LinhartSep 18, 2024via ghsa

commit

2 files changed · +19 −1

app/bundles/FormBundle/Resources/views/Field/freehtml.html.twig+1 −1 modified

@@ -12,7 +12,7 @@
 {% set validationMessage = '' %}
 {% set inputAttributes = htmlAttributesStringToArray(field.inputAttributes|default('')) %}
 {% set labelAttributes = htmlAttributesStringToArray(field.labelAttributes|default('')) %}
-{% set containerAttributes = htmlAttributesStringToArray(field.containerAttributes|default('')) %}
+{% set containerAttributes = htmlAttributesStringToArray(formFieldCleanInputAttributes(field.containerAttributes|default(''))) %}
 {% if ignoreName is not defined or (ignoreName is defined and ignoreName is empty) %}
   {% set inputName = 'mauticform[' ~ field.alias ~ ']' %}
   {% if field.properties.multiple is defined %}

app/bundles/FormBundle/Twig/Extension/FormFieldExtension.php+18 −0 modified

@@ -16,6 +16,24 @@ public function getFunctions()
             new TwigFunction('formFieldParseBooleanList', [FormFieldHelper::class, 'parseBooleanList']),
             new TwigFunction('formFieldParseList', [FormFieldHelper::class, 'parseList']),
             new TwigFunction('formFieldParseListForChoices', [FormFieldHelper::class, 'parseListForChoices']),
+            new TwigFunction('formFieldCleanInputAttributes', [$this, 'cleanInputAttributes']),
         ];
     }
+
+    /**
+     * Clean input evil attributes to prevent XSS
+     * Remove any attribute starting with "on" or xmlns or javascript:. Used in href, src, value, data, etc.
+     */
+    public function cleanInputAttributes(string $value): string
+    {
+        // Remove any HTML tags
+        $value = htmlspecialchars($value, ENT_SUBSTITUTE, 'UTF-8', false);
+        // Remove any attribute starting with "on" or javascript used in href, src, value, data, etc.
+        preg_match('/(on[A-Za-z]*\s*=|javascript:)/i', $value, $result);
+        if (!empty($result)) {
+            return '';
+        }
+
+        return $value;
+    }
 }

88153a15b3ce

Merge remote-tracking branch 'security/mst35-4.4' into 4.4

https://github.com/mautic/mauticJohn LinhartSep 18, 2024via ghsa

commit

2 files changed · +21 −1

app/bundles/CoreBundle/Helper/InputHelper.php+18 −0 modified

@@ -539,4 +539,22 @@ public static function transliterate($value)
 
         return \URLify::transliterate((string) $value);
     }
+
+    /**
+     * Clean input evil attributes to prevent XSS
+     * Remove any attribute starting with "on" or xmlns or javascript:.
+     *
+     * @return string
+     */
+    public static function cleanInputAttributes(?string $value)
+    {
+        $value = htmlspecialchars($value, ENT_SUBSTITUTE, 'UTF-8', false);
+        // Remove any attribute starting with "on" or javascript used in href, src, value, data, etc.
+        preg_match('/(on[A-Za-z]*\s*=|javascript:)/i', $value, $result);
+        if (!empty($result)) {
+            return '';
+        }
+
+        return $value;
+    }
 }

app/bundles/FormBundle/Views/Field/field_helper.php+3 −1 modified

@@ -1,5 +1,7 @@
 <?php
 
+use Mautic\CoreBundle\Helper\InputHelper;
+
 $appendAttribute = function (&$attributes, $attributeName, $append) {
     if (false === stripos($attributes, "{$attributeName}=")) {
         $attributes .= ' '.$attributeName.'="'.$append.'"';
@@ -76,7 +78,7 @@
 }
 
 // Container
-$containerAttr = 'id="mauticform'.$formName.'_'.$id.'" '.htmlspecialchars_decode($field['containerAttributes']);
+$containerAttr = 'id="mauticform'.$formName.'_'.$id.'" '.InputHelper::cleanInputAttributes($field['containerAttributes']);
 
 if (!isset($containerClass)) {
     $containerClass = $containerType;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000