An open API service providing security vulnerability metadata for many open source software ecosystems.
| Affected Packages | Affected Versions | Fixed Versions | |
|---|---|---|---|
| packagist:mautic/core | >= 6.0.0, < 6.0.7, >= 5.0.0, < 5.2.9, >= 4.0.0, < 4.4.18 | 6.0.7, 5.2.9, 4.4.18 | |
Affected Version RangesAll affected versions4.0.0, 4.0.0-alpha1, 4.0.0-beta, 4.0.0-rc, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.0-rc, 4.2.0-rc1, 4.2.1, 4.2.2, 4.3.0, 4.3.0-beta, 4.3.0-rc, 4.3.1, 4.4.0, 4.4.0-beta, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 6.0.0, 6.0.0-alpha, 6.0.0-beta, 6.0.0-beta2, 6.0.0-rc, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6 All unaffected versions1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 5.2.9, 6.0.7 |
|||
A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked.
A low-privileged user of the platform can install malicious code to obtain higher privileges.
References: