CVE-2021-27908 Vulnerability Details

  /     /     /  

CVE-2021-27908 Metadata Quick Info

CVE Published: 23/03/2021 | CVE Updated: 16/09/2024 | CVE Year: 2021
Source: Mautic | Vendor: Mautic | Product: Mautic
Status : PUBLISHED

CVE-2021-27908 Description

In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application.

Metrics

CVSS Version: 3.1 | Base Score: 5.8 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* LOCAL
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* HIGH
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-200
CWE Name: CWE-200 Information Exposure
Source: Mautic

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).