Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qajZ3LTJjcWctN3A5NM4AA69Y
Mautic SQL Injection in dynamic Reports
Impact
Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle.
The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems.
Patches
Update to 4.4.12 or 5.0.4
Workarounds
No
References
- https://owasp.org/www-community/attacks/SQL_Injection
- https://owasp.org/www-community/attacks/Blind_SQL_Injection
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qajZ3LTJjcWctN3A5NM4AA69Y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 21 days ago
Updated: 21 days ago
CVSS Score: 6.6
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jj6w-2cqg-7p94, CVE-2022-25775
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-jj6w-2cqg-7p94
- https://github.com/mautic/mautic/commit/cab65e0acc4f23c4f07c117dee1b69dac5abed3f
- https://github.com/mautic/mautic/commit/e75b1eea16309588f069169b5882cf53f854dbd8
- https://github.com/advisories/GHSA-jj6w-2cqg-7p94
Blast Radius: 3.1
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 1,952 total
Affected Version Ranges: >= 5.0.0-alpha, < 5.0.4, >= 2.14.1, < 4.4.12
Fixed in: 5.0.4, 4.4.12
All affected versions: 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 4.4.12, 5.0.4