CVE-2022-25774 in Mautic
Summary
by MITRE • 09/18/2024
Prior to the patched version, logged in users of Mautic are vulnerable to a self XSS vulnerability in the notifications within Mautic.
Users could inject malicious code into the notification when saving Dashboards.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/06/2025
The vulnerability CVE-2022-25774 represents a critical self cross-site scripting flaw in the Mautic marketing automation platform that affects authenticated users. This issue stems from insufficient input validation and output sanitization within the notification system, specifically when users save dashboard configurations. The vulnerability exists in the web application's user interface where notification content is processed and rendered without proper security measures to prevent malicious script injection.
The technical implementation of this vulnerability allows authenticated attackers to execute malicious JavaScript code within their own browser context through the notification system. When users save dashboards containing crafted malicious payloads, these scripts are stored and subsequently executed whenever the notification is displayed to the user. This creates a self-XSS vector where the user's own browser becomes the attack surface, making exploitation straightforward and persistent. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws in web applications, and aligns with ATT&CK technique T1059.007 for scripting languages and T1566.001 for spearphishing attachments.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking. Since it affects authenticated users within the Mautic platform, attackers can leverage this to escalate privileges, access sensitive marketing data, or manipulate campaign configurations. The self-XSS nature means that even users with elevated permissions could be compromised if they interact with malicious notifications. The vulnerability also impacts the platform's integrity as malicious code can modify dashboard behavior, redirect users to malicious sites, or exfiltrate data from the application's session. This creates a persistent threat vector that remains active until the notification content is cleared or the user's session is terminated.
Mitigation strategies should focus on implementing comprehensive input validation and output encoding for all user-supplied content within the notification system. Organizations should enforce strict content sanitization using libraries that can strip or escape potentially dangerous HTML and JavaScript elements. The recommended approach includes implementing a Content Security Policy that restricts script execution and prevents inline JavaScript from being executed. Additionally, regular security audits should validate all user input processing within dashboard components, and administrators should consider implementing multi-factor authentication to add additional protection layers. Security patches should be applied immediately upon release to address the root cause, and user education about recognizing suspicious notifications should be part of the overall security awareness program. The vulnerability demonstrates the importance of securing all user-facing interfaces and implementing defense-in-depth strategies that protect against both external and internal threats.