CVE-2021-27908
MEDIUMMautic < 3.3.2 - Authenticated Information Disclosure via Symfony Parameter Injection
Title source: llmDescription
In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the free text fields in Mautic’s configuration that are used in publicly facing parts of the application.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/mautic/mautic/security/advisories/GHSA-4hjq-422q-4vpx
Scores
CVSS v3
5.8
EPSS
0.0034
EPSS Percentile
26.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Details
CWE
CWE-200
CWE-74
Status
published
Products (2)
acquia/mautic
< 3.3.2
mautic/core
0 - 3.3.2Packagist
Published
Mar 23, 2021
Tracked Since
Feb 18, 2026