Vulnerability DatabaseCVE-2021-27908
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2021-27908
March 23, 2021
In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application.
Affected Packages
mautic/core (PHP):
Affected version(s) >=dev-add-allow-redirect-in-download-request <3.3.2
Fix Suggestion:
Update to version 3.3.2
Related Resources (4)
https://github.com/mautic/mautic/security/advisories/GHSA-4hjq-422q-4vpx
https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27908.yaml
https://nvd.nist.gov/vuln/detail/CVE-2021-27908
https://github.com/mautic/mautic
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
LOCAL
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.8
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
LOW
CVSS v2
Base Score:
2.1
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-74
Incorrect Permission Assignment for Critical Resource
CWE-732
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
EPSS
Base Score:
0.11