We have made available for immediate download an out-of-sequence release for both Mautic 2.x and 3.x. 

We have also published some resources on the website:

• Landing page for the security team
• Security Advisory Policy
• How to report a security issue
• How we triage, resolve and release fixes for security issues
• How to join the Mautic Security Team
• Meet the Mautic Security Team

This release addresses:

1. A Moderately Critical Vulnerability (Vulnerability 1) reported by Dardan Prebreza at Bishop Fox, and  
2. A Highly Critical Vulnerability (Vulnerability 2) reported by Naveen Sunkavally at Horizon3.ai.

Risk Ratings

These are based on the information in the ‘how we triage, resolve and release fixes for security issues’ page above.

Vulnerability 1

12/25 (Moderately Critical) AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability 2

22/25 (Highly Critical) AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All

More information can be found in the CVE reports here - details will be added following the release: 

Vulnerability 1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35128

Vulnerability 2

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35124

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35125

Patches

Fix for both vulnerabilities

Link to patch for 2.x versions: https://github.com/mautic/mautic/compare/2.16.4...2.16.5.diff

Link to patch for 3.x versions: https://github.com/mautic/mautic/compare/3.2.2...3.2.4.diff

 ⚠️ Important note for users who are currently running 3.2.0 or later

Are you currently using Mautic 3.2.0 or later and do you update through the CLI (Command Line Interface)? Then the message below applies to you! This does not apply if you're updating through the UI (graphical interface).

When you're trying to update through the CLI, you might run into the following error:

Notice: Undefined index: message in /var/www/html/app/bundles/CoreBundle/Update/Step/InstallNewFilesStep.php on line 131

Failed to execute command php bin/console mautic:update:apply: exit status 1

This bug was introduced in Mautic 3.2.0 and fixed in 3.2.4. Please use the following workaround:

wget https://github.com/mautic/mautic/releases/download/3.2.4/3.2.4-update.zip
php bin/console mautic:update:apply --update-package=3.2.4-update.zip
php bin/console mautic:update:apply --finish

How to scan for attempts to exploit the vulnerability

We have also provided some searches that you can do to see if there have been attempts to exploit the highly critical vulnerability.  

Check for exploit attempts - Vulnerability 1

To see if there was an attempt at this vulnerability, run the following queries replacing PREFIX_ with your own if configured: 

• >select * from PREFIX_companies where companyname like '%<%' or companyname like '%onerror%';

Check for exploit attempts - Vulnerability 2

The first and absolutely necessary step is to check if there are any unrecognized users listed in Mautic’s User manager. Delete or unpublish any not recognized immediately. 

To see if there was an attempt at this vulnerability, run the following queries replacing PREFIX_ with your own if configured:  

• >select * from PREFIX_form_submissions where referer like '%<%' or referer like '%onerror%';
• >select * from PREFIX_asset_downloads where referer like '%<%' or referer like '%onerror%';
• >select * from PREFIX_companies where companyname like '%<%' or companyname like '%onerror%';

If there are any results returned, review them to look for HTML tags. If it looks like HTML is embedded, delete the entry from the database. 

Credits

Thanks to Dardan Prebreza at Bishop Fox and Naveen Sunkavally at Horizon3.ai for responsibly reporting these vulnerabilities.

Thanks to Alan Hartless at Acquia and Dennis Ameling for fixing these vulnerabilities.