CVE-2021-27910

Name of the Vulnerable Software and Affected Versions: Mautic versions prior to 3.3.4 Mautic versions prior to 4.0.0

Description: Insufficient sanitization/filtering allows for arbitrary JavaScript injection in Mautic using the bounce management callback function. An attacker can inject arbitrary JavaScript code into the error and error related to parameters of the POST request (POST /mailer/<product / webhook>/callback) without needing authentication. The injected JavaScript code is stored permanently and executed when an authenticated user views the details page of an affected lead, potentially allowing for information theft or tampering.

Recommendations: Upgrade to version 3.3.4 or 4.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the bounce management callback function until the upgrade is applied. Avoid using the error and error related to parameters in the affected API endpoint until the issue is resolved.