CVE-2025-9823 (GCVE-0-2025-9823)
Vulnerability from cvelistv5
Published
2025-09-03 14:33
Modified
2025-09-03 17:33
Severity ?
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
SummaryA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application. DetailsThe vulnerability resides in the “Tags” input field on the /s/ajax?action=lead:addLeadTags endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim’s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user’s session. ImpactA Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, manipulate the web page content, and essentially take control of a user's session within an application by executing malicious JavaScript code within the victim's browser, even if the server-side code is secure; essentially enabling them to perform actions as if they were the logged-in user. References * Web Security Academy: Cross-site scripting https://portswigger.net/web-security/cross-site-scripting * Web Security Academy: Reflected cross-site scripting https://portswigger.net/web-security/cross-site-scripting/reflected
References
security@mautic.orghttps://github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm
Impacted products
Vendor Product Version
Mautic Mautic Version: >= 4.4.0   
Version: >= 5.0.0-alpha   
Version: >= 6.0.0-alpha   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-9823",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-03T17:32:56.733259Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-03T17:33:19.941Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://packagist.org",
          "defaultStatus": "unaffected",
          "packageName": "mautic/core",
          "product": "Mautic",
          "repo": "https://github.com/mautic/mautic",
          "vendor": "Mautic",
          "versions": [
            {
              "lessThan": "\u003c 4.4.17",
              "status": "affected",
              "version": "\u003e= 4.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "\u003c 5.2.8",
              "status": "affected",
              "version": "\u003e= 5.0.0-alpha",
              "versionType": "semver"
            },
            {
              "lessThan": "\u003c 6.0.5",
              "status": "affected",
              "version": "\u003e= 6.0.0-alpha",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "nmmorette"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "kuzmany"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "patrykgruszka"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ch2\u003eSummary\u003c/h2\u003e\u003cp\u003eA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user\u2019s session. This occurs because user-supplied input is reflected back in the server\u2019s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.\u003c/p\u003e\u003ch2\u003eDetails\u003c/h2\u003e\u003cp\u003eThe vulnerability resides in the \u201cTags\u201d input field on the /s/ajax?action=lead:addLeadTags endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim\u2019s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user\u2019s session.\u003c/p\u003e\u003ch2\u003eImpact\u003c/h2\u003e\u003cp\u003eA Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, manipulate the web page content, and essentially take control of a user\u0027s session within an application by executing malicious JavaScript code within the victim\u0027s browser, even if the server-side code is secure; essentially enabling them to perform actions as if they were the logged-in user.\u003c/p\u003e\u003ch2\u003eReferences\u003c/h2\u003e\u003cul\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://portswigger.net/web-security/cross-site-scripting\"\u003eWeb Security Academy: Cross-site scripting\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://portswigger.net/web-security/cross-site-scripting/reflected\"\u003eWeb Security Academy: Reflected cross-site scripting\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
            }
          ],
          "value": "SummaryA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user\u2019s session. This occurs because user-supplied input is reflected back in the server\u2019s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.\n\nDetailsThe vulnerability resides in the \u201cTags\u201d input field on the /s/ajax?action=lead:addLeadTags endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim\u2019s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user\u2019s session.\n\nImpactA Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, manipulate the web page content, and essentially take control of a user\u0027s session within an application by executing malicious JavaScript code within the victim\u0027s browser, even if the server-side code is secure; essentially enabling them to perform actions as if they were the logged-in user.\n\nReferences  *   Web Security Academy: Cross-site scripting https://portswigger.net/web-security/cross-site-scripting \n  *   Web Security Academy: Reflected cross-site scripting https://portswigger.net/web-security/cross-site-scripting/reflected"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-591 Reflected XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T14:33:26.111Z",
        "orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e",
        "shortName": "Mautic"
      },
      "references": [
        {
          "url": "https://github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm"
        }
      ],
      "source": {
        "advisory": "GHSA-9v8p-m85m-f7mm",
        "discovery": "EXTERNAL"
      },
      "title": "Reflected XSS in lead:addLeadTags - Quick Add",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e",
    "assignerShortName": "Mautic",
    "cveId": "CVE-2025-9823",
    "datePublished": "2025-09-03T14:33:26.111Z",
    "dateReserved": "2025-09-02T08:22:35.286Z",
    "dateUpdated": "2025-09-03T17:33:19.941Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-9823\",\"sourceIdentifier\":\"security@mautic.org\",\"published\":\"2025-09-03T15:15:49.247\",\"lastModified\":\"2025-09-04T15:35:29.497\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SummaryA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user\u2019s session. This occurs because user-supplied input is reflected back in the server\u2019s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.\\n\\nDetailsThe vulnerability resides in the \u201cTags\u201d input field on the /s/ajax?action=lead:addLeadTags endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim\u2019s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user\u2019s session.\\n\\nImpactA Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, manipulate the web page content, and essentially take control of a user\u0027s session within an application by executing malicious JavaScript code within the victim\u0027s browser, even if the server-side code is secure; essentially enabling them to perform actions as if they were the logged-in user.\\n\\nReferences  *   Web Security Academy: Cross-site scripting https://portswigger.net/web-security/cross-site-scripting \\n  *   Web Security Academy: Reflected cross-site scripting https://portswigger.net/web-security/cross-site-scripting/reflected\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@mautic.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security@mautic.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm\",\"source\":\"security@mautic.org\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-9823\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-03T17:32:56.733259Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-03T17:33:12.775Z\"}}], \"cna\": {\"title\": \"Reflected XSS in lead:addLeadTags - Quick Add\", \"source\": {\"advisory\": \"GHSA-9v8p-m85m-f7mm\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"nmmorette\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"kuzmany\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"patrykgruszka\"}], \"impacts\": [{\"capecId\": \"CAPEC-591\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-591 Reflected XSS\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 4.8, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/mautic/mautic\", \"vendor\": \"Mautic\", \"product\": \"Mautic\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.4.0\", \"lessThan\": \"\u003c 4.4.17\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"\u003e= 5.0.0-alpha\", \"lessThan\": \"\u003c 5.2.8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"\u003e= 6.0.0-alpha\", \"lessThan\": \"\u003c 6.0.5\", \"versionType\": \"semver\"}], \"packageName\": \"mautic/core\", \"collectionURL\": \"https://packagist.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/mautic/mautic/security/advisories/GHSA-9v8p-m85m-f7mm\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"SummaryA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user\\u2019s session. This occurs because user-supplied input is reflected back in the server\\u2019s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.\\n\\nDetailsThe vulnerability resides in the \\u201cTags\\u201d input field on the /s/ajax?action=lead:addLeadTags endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim\\u2019s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user\\u2019s session.\\n\\nImpactA Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, manipulate the web page content, and essentially take control of a user\u0027s session within an application by executing malicious JavaScript code within the victim\u0027s browser, even if the server-side code is secure; essentially enabling them to perform actions as if they were the logged-in user.\\n\\nReferences  *   Web Security Academy: Cross-site scripting https://portswigger.net/web-security/cross-site-scripting \\n  *   Web Security Academy: Reflected cross-site scripting https://portswigger.net/web-security/cross-site-scripting/reflected\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003ch2\u003eSummary\u003c/h2\u003e\u003cp\u003eA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user\\u2019s session. This occurs because user-supplied input is reflected back in the server\\u2019s response without proper sanitization or escaping, potentially enabling malicious actions such as session hijacking, credential theft, or unauthorized actions in the application.\u003c/p\u003e\u003ch2\u003eDetails\u003c/h2\u003e\u003cp\u003eThe vulnerability resides in the \\u201cTags\\u201d input field on the /s/ajax?action=lead:addLeadTags endpoint. Although the server applies sanitization before storing the data or returning it later, the payload is executed immediately in the victim\\u2019s browser upon reflection, allowing an attacker to run arbitrary JavaScript in the user\\u2019s session.\u003c/p\u003e\u003ch2\u003eImpact\u003c/h2\u003e\u003cp\u003eA Reflected XSS attack can have a significant impact, allowing attackers to steal sensitive user data like cookies, redirect users to malicious websites, manipulate the web page content, and essentially take control of a user\u0027s session within an application by executing malicious JavaScript code within the victim\u0027s browser, even if the server-side code is secure; essentially enabling them to perform actions as if they were the logged-in user.\u003c/p\u003e\u003ch2\u003eReferences\u003c/h2\u003e\u003cul\u003e\u003cli\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://portswigger.net/web-security/cross-site-scripting\\\"\u003eWeb Security Academy: Cross-site scripting\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://portswigger.net/web-security/cross-site-scripting/reflected\\\"\u003eWeb Security Academy: Reflected cross-site scripting\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"4e531c38-7a33-45d3-98dd-d909c0d8852e\", \"shortName\": \"Mautic\", \"dateUpdated\": \"2025-09-03T14:33:26.111Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-9823\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-03T17:33:19.941Z\", \"dateReserved\": \"2025-09-02T08:22:35.286Z\", \"assignerOrgId\": \"4e531c38-7a33-45d3-98dd-d909c0d8852e\", \"datePublished\": \"2025-09-03T14:33:26.111Z\", \"assignerShortName\": \"Mautic\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.