CVE-2021-27908

Name of the Vulnerable Software and Affected Versions: Mautic versions prior to 3.3.2

Description: The issue allows an authorized admin user to expose secret parameters, such as database credentials, publicly by leveraging Symfony parameter syntax in free text fields within Mautic's configuration. This can be done in publicly facing parts of the application. For example, an admin can enter a script in the Analytics script field that logs the database password to the console, which can then be accessed by visiting a landing page and opening the JavaScript developer console.

Recommendations: Upgrade to version 3.3.2 to resolve the issue. As a temporary workaround, consider restricting access to the configuration fields that use Symfony parameter syntax to minimize the risk of exploitation. Avoid using sensitive parameters, such as mautic.db password, in free text fields until the issue is resolved.