Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tajZtLTI0NmgtOXc1Ns0vhQ
Improper regex in htaccess file
Impact
the default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the root of the application.
This logic isn't correct, as the regex in the second FilesMatch only checks the filename, not the full path.
Patches
Please upgrade to 3.3.5 or 4.2.0
Workarounds
No
References
- Release post: https://www.mautic.org/blog/community/mautic-4-2-one-small-step-mautic
- Internally tracked under MST-32
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tajZtLTI0NmgtOXc1Ns0vhQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: about 2 years ago
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-mj6m-246h-9w56, CVE-2022-25769
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-mj6m-246h-9w56
- https://github.com/advisories/GHSA-mj6m-246h-9w56
Blast Radius: 0.0
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 2,009 total
Affected Version Ranges: >= 4.0.0, < 4.2.0, < 3.3.5
Fixed in: 4.2.0, 3.3.5
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2
All unaffected versions: 3.3.5, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.2.0, 5.2.1