CVE-2022-25770 – mautic/core

Package

Manager: composer
Name: mautic/core
Vulnerable Version: >=1.0.0-beta3 <4.4.13 || >=5.0.0-alpha <5.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00115 pctl0.30873

Details

Mautic has insufficient authentication in upgrade flow ### Impact Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable ### Patches Please upgrade to 4.4.1 or 5.1.1 or later. ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at [security@mautic.org](mailto:security@mautic.org)

Metadata

Created: 2024-09-18T22:06:13Z
Modified: 2025-02-21T22:13:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-qf6m-6m4g-rmrc/GHSA-qf6m-6m4g-rmrc.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-qf6m-6m4g-rmrc
Finding: F006
Auto approve: 1