GHSA-4w2w-36vm-c8hf

Source

https://github.com/advisories/GHSA-4w2w-36vm-c8hf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-4w2w-36vm-c8hf/GHSA-4w2w-36vm-c8hf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4w2w-36vm-c8hf

Aliases

CVE-2022-25773

Published

2025-02-26T20:09:28Z

Modified

2025-10-16T20:51:33.085042Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Mautic allows Relative Path Traversal in assets file upload

Details

Summary

This advisory addresses a file placement vulnerability that could allow assets to be uploaded to unintended directories on the server.

Improper Limitation of a Pathname to a Restricted Directory: A vulnerability exists in the asset upload functionality that allows users to upload files to directories outside of the intended temporary directory.

Mitigation

Please update to 5.2.3 or later.

Workarounds

None

References

If you have any questions or comments about this advisory:

Email us at security@mautic.org

Database specific

{
    "github_reviewed_at": "2025-02-26T20:09:28Z",
    "nvd_published_at": "2025-02-26T13:15:32Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true
}

References

Affected packages

Packagist / mautic/core

Package

Name: mautic/core
Purl: pkg:composer/mautic/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.3

Affected versions

1.*

1.0.0-beta

1.0.0-beta2

1.0.0-beta3

1.0.0-beta4

1.0.0-rc1

1.0.0-rc2

1.0.0-rc3

1.0.0-rc4

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0-beta1

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.3.1

1.4.0

1.4.1

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.3.0

2.4.0

2.5.0

2.5.1

2.6.0

2.6.1

2.7.0

2.7.1

2.8.0

2.8.1

2.8.2

2.9.0-beta

2.9.0

2.9.1

2.9.2

2.10.0-beta

2.10.0

2.10.1

2.11.0-beta

2.11.0

2.12.0-beta

2.12.0

2.12.1-beta

2.12.1

2.12.2-beta

2.12.2

2.13.0-beta

2.13.0

2.13.1

2.14.0-beta

2.14.0

2.14.1-beta

2.14.1

2.14.2-beta

2.14.2

2.15.0-beta

2.15.0

2.15.1-beta

2.15.1

2.15.2-beta

2.15.2

2.15.3-beta

2.15.3

2.16.0-beta

2.16.0

2.16.1-beta

2.16.1

2.16.2-beta

2.16.2

2.16.3-beta

2.16.3

2.16.4

2.16.5

3.*

3.0.0-alpha

3.0.0-beta

3.0.0-beta2

3.0.0

3.0.1

3.0.2-rc

3.0.2

3.1.0-rc

3.1.0

3.1.1-rc

3.1.1

3.1.2-rc

3.1.2

3.2.0-rc

3.2.0

3.2.1

3.2.2-rc

3.2.2

3.2.3

3.2.4

3.2.5-rc

3.2.5

3.3.0-rc

3.3.0

3.3.1

3.3.2-rc

3.3.2

3.3.3-rc

3.3.3

3.3.4

3.3.5

4.*

4.0.0-alpha1

4.0.0-beta

4.0.0-rc

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.2.0-rc

4.2.0-rc1

4.2.0

4.2.1

4.2.2

4.3.0-beta

4.3.0-rc

4.3.0

4.3.1

4.4.0-beta

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.4.11

4.4.12

4.4.13

5.*

5.0.0-alpha

5.0.0-alpha1

5.0.0-beta1

5.0.0-beta2

5.0.0-rc1

5.0.0-rc2

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-4w2w-36vm-c8hf/GHSA-4w2w-36vm-c8hf.json"