CVE-2017-1000490 – mautic/core

Package

Manager: composer
Name: mautic/core
Vulnerable Version: >=1.0.0 <2.12.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00344 pctl0.56269

Details

Mautic users able to download any files from server using filemanager ### Impact Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to. ### Patches Update to 2.12.0 or later. ### Workarounds None ### For more information If you have any questions or comments about this advisory: * Email us at [security@mautic.org](mailto:security@mautic.org)

Metadata

Created: 2021-01-19T20:50:38Z
Modified: 2023-09-11T13:40:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-qpgw-2c72-4c89/GHSA-qpgw-2c72-4c89.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-qpgw-2c72-4c89
Finding: F063
Auto approve: 1