CVE-2025-9823
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-04
Assigner: Mautic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mautic | mautic | * |
| mautic | core | 4.4.0 |
| mautic | core | 6.0.0-alpha |
| mautic | core | 5.0.0-alpha |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9823 is a reflected Cross-Site Scripting (XSS) vulnerability in the Mautic marketing automation platform. It occurs in the 'Tags' input field of the /s/ajax?action=lead:addLeadTags endpoint. The vulnerability arises because user-supplied input is reflected immediately in the server's response without proper sanitization or escaping, allowing an attacker to inject and execute arbitrary JavaScript code in another user's browser session. This can lead to malicious actions such as session hijacking, credential theft, unauthorized actions, content manipulation, and redirection to malicious websites. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in your browser session, potentially leading to theft of sensitive data like cookies, hijacking of your session, unauthorized actions performed on your behalf within the application, manipulation of web page content, and redirection to malicious websites. Even if the server-side code is secure, the attacker can control your session by exploiting this reflected XSS vulnerability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /s/ajax?action=lead:addLeadTags endpoint for reflected Cross-Site Scripting (XSS) by injecting JavaScript payloads into the "Tags" input field and observing if the payload is executed immediately in the response. Common detection methods include using web vulnerability scanners or manual testing with tools like curl or browser developer tools. For example, you can use curl to send a request with a test payload: curl -G --data-urlencode "tags=<script>alert(1)</script>" "https://your-mautic-instance/s/ajax?action=lead:addLeadTags" and check if the script executes or is reflected unsanitized in the response. Additionally, using browser developer tools to inspect the response and behavior after submitting tags can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Mautic platform to a patched version that fixes this vulnerability. Specifically, upgrade to version 4.4.17, 5.2.8, or 6.0.5 or later of the mautic/core Composer package. Until the update can be applied, consider restricting access to the vulnerable endpoint, applying web application firewall (WAF) rules to block malicious payloads targeting the Tags input field, and educating users to avoid interacting with suspicious links that could exploit this reflected XSS vulnerability. [1]