Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01aGM1LWZ4cjktNWZyY84AA_rw
Mautic has insufficient authentication in upgrade flow
Mautic allows you to update the application via an upgrade script.
The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation.
This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable.
Permalink: https://github.com/advisories/GHSA-5hc5-fxr9-5frcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01aGM1LWZ4cjktNWZyY84AA_rw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 7.8
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
Identifiers: GHSA-5hc5-fxr9-5frc, CVE-2022-25770
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-qf6m-6m4g-rmrc
- https://nvd.nist.gov/vuln/detail/CVE-2022-25770
- https://github.com/advisories/GHSA-5hc5-fxr9-5frc
Blast Radius: 3.7
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 1,998 total
Affected Version Ranges: >= 5.0.0, < 5.1.1, >= 1.0.0-beta3, < 4.4.13
Fixed in: 5.1.1, 4.4.13
All affected versions: 1.0.0, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0
All unaffected versions: 4.4.13, 5.1.1