CVE-2024-47058: 
PHP vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was identified in Mautic forms, tracked as CVE-2024-47058. The vulnerability affects Mautic versions from 1.0.0 up to (excluding) 4.4.13 and versions from 5.0.0 up to (excluding) 5.1.1. The vulnerability was disclosed on September 18, 2024, allowing attackers with form editing privileges to store malicious HTML code in form fields (Vendor Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 scores vary between sources, with NIST assigning a base score of 4.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Mautic assigns a score of 2.9 (LOW) with vector CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L (NVD).

If exploited, this vulnerability could allow attackers to steal sensitive information from the user's current session through stored XSS attacks in Mautic form HTML fields (Vendor Advisory).

Users are advised to upgrade to Mautic version 4.4.13 or 5.1.1 or later to address this vulnerability. No alternative workarounds are available (Vendor Advisory).