CVE-2022-25772: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the web tracking component of Mautic versions prior to 4.3.0. The vulnerability, identified as CVE-2022-25772, was disclosed on February 22, 2022. The issue affects the tracking pixel functionality used for monitoring open rates, where insufficient filtering of tracking metadata could lead to security risks (Mautic Advisory).

The vulnerability stems from improperly sanitized user metadata collected from tracking pixels. The CVSS v3.1 base score was rated as 6.1 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Mautic assessed it as 9.6 (CRITICAL) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

Successful exploitation of this vulnerability could allow remote attackers to execute script code in the security context of the target user's browser. The vulnerability potentially enables system compromise, allowing remote attackers to gain control of vulnerable systems (FortiGuard).

The vulnerability was patched in Mautic version 4.3.0. No workarounds are available, and users are strongly advised to upgrade to the patched version. The fix addresses the insufficient filtering of tracking metadata output (Mautic Advisory).