GHSA-5hc5-fxr9-5frc

Suggest an improvement
Source
https://github.com/advisories/GHSA-5hc5-fxr9-5frc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-5hc5-fxr9-5frc/GHSA-5hc5-fxr9-5frc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5hc5-fxr9-5frc
Aliases
  • CVE-2022-25770
Published
2024-09-19T00:31:32Z
Modified
2024-09-19T16:13:42.207484Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H CVSS Calculator
  • 7.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Mautic has insufficient authentication in upgrade flow
Details

Mautic allows you to update the application via an upgrade script.

The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation.

This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable.

References

Affected packages

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0-beta3
Fixed
4.4.13

Affected versions

1.*

1.0.0-beta3
1.0.0-beta4
1.0.0-rc1
1.0.0-rc2
1.0.0-rc3
1.0.0-rc4
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0-beta1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.3.1
1.4.0
1.4.1

2.*

2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.6.1
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.9.0-beta
2.9.0
2.9.1
2.9.2
2.10.0-beta
2.10.0
2.10.1
2.11.0-beta
2.11.0
2.12.0-beta
2.12.0
2.12.1-beta
2.12.1
2.12.2-beta
2.12.2
2.13.0-beta
2.13.0
2.13.1
2.14.0-beta
2.14.0
2.14.1-beta
2.14.1
2.14.2-beta
2.14.2
2.15.0-beta
2.15.0
2.15.1-beta
2.15.1
2.15.2-beta
2.15.2
2.15.3-beta
2.15.3
2.16.0-beta
2.16.0
2.16.1-beta
2.16.1
2.16.2-beta
2.16.2
2.16.3-beta
2.16.3
2.16.4
2.16.5

3.*

3.0.0-alpha
3.0.0-beta
3.0.0-beta2
3.0.0
3.0.1
3.0.2-rc
3.0.2
3.1.0-rc
3.1.0
3.1.1-rc
3.1.1
3.1.2-rc
3.1.2
3.2.0-rc
3.2.0
3.2.1
3.2.2-rc
3.2.2
3.2.3
3.2.4
3.2.5-rc
3.2.5
3.3.0-rc
3.3.0
3.3.1
3.3.2-rc
3.3.2
3.3.3-rc
3.3.3
3.3.4
3.3.5

4.*

4.0.0-alpha1
4.0.0-beta
4.0.0-rc
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.2.0-rc
4.2.0-rc1
4.2.0
4.2.1
4.2.2
4.3.0-beta
4.3.0-rc
4.3.0
4.3.1
4.4.0-beta
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.1.1

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0