Relative Path Traversal and Arbitrary File Deletion Vulnerability in Mautic
CVE-2021-27916

8.1HIGH

Key Information:

Vendor: Mautic
Status: Mautic
Vendor: CVE Published:; 17 September 2024

What is CVE-2021-27916?

A vulnerability exists in the Mautic application prior to version 3.3.1 that permits logged-in users to exploit relative path traversal, allowing them to delete arbitrary files outside the designated media folders. This poses a risk not only to user-generated content but potentially to critical system files and libraries. The issue stems from the GrapesJS builder's implementation, highlighting the need for security best practices within content management systems. Organizations using Mautic are advised to update to the latest version to mitigate this risk.

Affected Version(s)

Mautic >= 3.3.0 <= 3.3.0

Mautic >= 5.0.0 <= 5.0.0

References

https://github.com/mautic/mautic/security/advisories/GHSA...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 17, 2024
Vulnerability Reserved
Mar 2, 2021

Credit

Mattias Michaux

Lenon Leite

Adrian Schimpf

Avikarsha Saha

John Linhart