Packagist (Composer) package
mautic/core
pkg:composer/mautic/core
Vulnerabilities (49)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-8092 | — | < 2.13.0 | 2.13.0 | Apr 18, 2018 | Mautic before 2.13.0 allows CSV injection. | ||
| CVE-2018-8071 | — | < 2.13.0 | 2.13.0 | Apr 18, 2018 | Mautic before v2.13.0 has stored XSS via a theme config file. | ||
| CVE-2018-10189 | — | < 2.13.0 | 2.13.0 | Apr 17, 2018 | An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It is possible to systematically emulate tracking cookies per contact due to tracking the contact by their auto-incremented ID. Thus, a third party can manipulate the cookie value with +1 to systematically assume being | ||
| CVE-2017-1000506 | — | < 2.14.2 | 2.14.2 | Feb 9, 2018 | Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial of service and execution of javascript code. | ||
| CVE-2017-1000490 | — | >= 1.0.0, < 2.12.0 | 2.12.0 | Jan 3, 2018 | Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to. | ||
| CVE-2017-1000489 | — | >= 2.0.0, < 2.12.0 | 2.12.0 | Jan 3, 2018 | Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address | ||
| CVE-2017-1000488 | — | >= 2.1.0, < 2.12.0 | 2.12.0 | Jan 3, 2018 | Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form. | ||
| CVE-2017-1000046 | Hig | 7.5 | < 2.1.1 | 2.1.1 | Jul 17, 2017 | Mautic 2.6.1 and earlier fails to set flags on session cookies | |
| CVE-2017-8874 | Hig | 8.8 | — | — | May 10, 2017 | Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts. |
- CVE-2018-8092Apr 18, 2018affected < 2.13.0fixed 2.13.0
Mautic before 2.13.0 allows CSV injection.
- CVE-2018-8071Apr 18, 2018affected < 2.13.0fixed 2.13.0
Mautic before v2.13.0 has stored XSS via a theme config file.
- CVE-2018-10189Apr 17, 2018affected < 2.13.0fixed 2.13.0
An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It is possible to systematically emulate tracking cookies per contact due to tracking the contact by their auto-incremented ID. Thus, a third party can manipulate the cookie value with +1 to systematically assume being
- CVE-2017-1000506Feb 9, 2018affected < 2.14.2fixed 2.14.2
Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial of service and execution of javascript code.
- CVE-2017-1000490Jan 3, 2018affected >= 1.0.0, < 2.12.0fixed 2.12.0
Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to.
- CVE-2017-1000489Jan 3, 2018affected >= 2.0.0, < 2.12.0fixed 2.12.0
Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address
- CVE-2017-1000488Jan 3, 2018affected >= 2.1.0, < 2.12.0fixed 2.12.0
Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form.
- affected < 2.1.1fixed 2.1.1
Mautic 2.6.1 and earlier fails to set flags on session cookies
Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1.4.1 allow remote attackers to hijack the authentication of users for requests that (1) delete email campaigns or (2) delete contacts.
Page 3 of 3