Base Score

MEDIUM6.5

CVE-2022-25768

The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.

VectorNETWORK

Published Bysecurity@mautic.org

Published DateSep 18, 2024, 21:15

Affected Versions(4)

mautic/core-lib(Packagist)

Introduced1.1.3

Fixed4.4.13

LimitN/A

mautic/core-lib(Packagist)

Introduced5.0.0-alpha

Fixed5.1.1

LimitN/A

mautic/core(Packagist)

Introduced1.1.3

Fixed4.4.13

LimitN/A

mautic/core(Packagist)

Introduced5.0.0-alpha

Fixed5.1.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
mautic/core-lib(Packagist)	1.1.3	4.4.13	N/A
mautic/core-lib(Packagist)	5.0.0-alpha	5.1.1	N/A
mautic/core(Packagist)	1.1.3	4.4.13	N/A
mautic/core(Packagist)	5.0.0-alpha	5.1.1	N/A

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE

References

https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc

Base Score

MEDIUM6.5

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

NONE