CVE-2022-25775 – mautic/core

Package

Manager: composer
Name: mautic/core
Vulnerable Version: >=2.14.1 <4.4.12 || >=5.0.0-alpha <5.0.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00027 pctl0.05955

Details

Mautic SQL Injection in dynamic Reports ### Impact Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems. ### Patches Update to 4.4.12 or 5.0.4 ### Workarounds No ### References - https://owasp.org/www-community/attacks/SQL_Injection - https://owasp.org/www-community/attacks/Blind_SQL_Injection

Metadata

Created: 2024-04-12T17:25:15Z
Modified: 2024-09-18T16:56:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-jj6w-2cqg-7p94/GHSA-jj6w-2cqg-7p94.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-jj6w-2cqg-7p94
Finding: F297
Auto approve: 1