GHSA-438m-6mhw-hq5w

Source

https://github.com/advisories/GHSA-438m-6mhw-hq5w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-438m-6mhw-hq5w/GHSA-438m-6mhw-hq5w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-438m-6mhw-hq5w

Aliases

CVE-2025-9822

Published

2025-09-03T22:18:20Z

Modified

2025-09-03T22:27:22.468923Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Mautic vulnerable to secret data extraction via elfinder

Details

Summary

A user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally available.

Impact

An administrator who usually does not have access to certain parameters, such as database credentials, can disclose them.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-283"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2025-09-03T14:15:46Z",
    "github_reviewed_at": "2025-09-03T22:18:20Z"
}

References

Affected packages

Packagist / mautic/core

Package

Name: mautic/core
Purl: pkg:composer/mautic/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0

Fixed

4.4.17

Affected versions

4.*

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

4.4.13

Packagist / mautic/core

Package

Name: mautic/core
Purl: pkg:composer/mautic/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-alpha

Fixed

5.2.8

Affected versions

5.*

5.0.0-alpha

5.0.0-alpha1

5.0.0-beta1

5.0.0-beta2

5.0.0-rc1

5.0.0-rc2

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

Packagist / mautic/core

Package

Name: mautic/core
Purl: pkg:composer/mautic/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0-alpha

Fixed

6.0.5

Affected versions

6.*

6.0.0-alpha

6.0.0-beta2

6.0.0-rc

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4