Matisact

**Name of the Vulnerable Software and Affected Versions** Mautic versions prior to 4.4.13 Mautic versions prior to 5.1.1 **Description** With access to edit a Mautic form, an attacker can add Cross-Site Scripting stored in the `html` field. This could be used to steal sensitive information from the user's current session. **Recommendations** For versions prior to 4.4.13, upgrade to 4.4.13 or later. For versions prior to 5.1.1, upgrade to 5.1.1 or later.

Name of the Vulnerable Software and Affected Versions: Mautic versions prior to 3.3.4/4.0.0 Description: The issue is related to an inline JS XSS attack that can be triggered through a contact's first or last name when viewing a contact's details page, clicking on the action drop down, and hovering over the Campaigns button. The contact's first and last name can be populated from various sources, including UI, API, 3rd party syncing, forms, etc. Recommendations: Upgrade to version 3.3.4 or 4.0.0 to resolve the issue. As a temporary workaround, consider restricting the input of contact first and last names to minimize the risk of exploitation. Avoid using potentially malicious input from different sources such as UI, API, 3rd party syncing, forms, etc. until the issue is resolved.