CVE-2018-10189

An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It is possible to systematically emulate tracking cookies per contact due to tracking the contact by their auto-incremented ID. Thus, a third party can manipulate the cookie value with +1 to systematically assume being tracked as each contact in Mautic. It is then possible to retrieve information about the contact through forms that have progressive profiling enabled.

Published: Apr 17, 2018
Updated: May 9, 2024
CVE: CVE-2018-10189
GHSA: GHSA-vfxj-qg93-7wwc
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
mautic / mautic	1.0.0	1.4.1.x
mautic / mautic	2.0.0	2.13.0
mautic / core	-	2.13.0

https://github.com/mautic/mautic/releases/tag/2.13.0
https://github.com/mautic/mautic/security/advisories/GHSA-vfxj-qg93-7wwc

Vulnerability Database

CVE-2018-10189