GHSA-x3jx-5w6m-q2fc

Suggest an improvement
Source
https://github.com/advisories/GHSA-x3jx-5w6m-q2fc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-x3jx-5w6m-q2fc/GHSA-x3jx-5w6m-q2fc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x3jx-5w6m-q2fc
Aliases
  • CVE-2022-25768
Published
2024-09-18T17:43:36Z
Modified
2024-09-18T22:49:46.062746Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Mautic vulnerable to Improper Access Control in UI upgrade process
Details

Impact

The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.

Patches

Upgrade to 4.4.13 or 5.1.1 or later.

Workarounds

None.

For more information

If you have any questions or comments about this advisory: * Email us at security@mautic.org

Database specific
{
    "nvd_published_at": "2024-09-18T21:15:12Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-18T17:43:36Z"
}
References

Affected packages

Packagist / mautic/core-lib

Package

Name
mautic/core-lib
Purl
pkg:composer/mautic/core-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.1.3
Fixed
4.4.13

Affected versions

4.*

4.0.0-alpha1
4.0.0-beta
4.0.0-rc
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.2.0-rc
4.2.0-rc1
4.2.0
4.2.1
4.2.2
4.3.0-beta
4.3.0-rc
4.3.0
4.3.1
4.4.0
4.4.1-alpha
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12

Packagist / mautic/core-lib

Package

Name
mautic/core-lib
Purl
pkg:composer/mautic/core-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0-alpha
Fixed
5.1.1

Affected versions

5.*

5.0.0-alpha
5.0.0-alpha1
5.0.0-beta1
5.0.0-beta2
5.0.0-rc1
5.0.0-rc2
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.1.3
Fixed
4.4.13

Affected versions

1.*

1.1.3
1.2.0-beta1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.3.1
1.4.0
1.4.1

2.*

2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.6.1
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.9.0-beta
2.9.0
2.9.1
2.9.2
2.10.0-beta
2.10.0
2.10.1
2.11.0-beta
2.11.0
2.12.0-beta
2.12.0
2.12.1-beta
2.12.1
2.12.2-beta
2.12.2
2.13.0-beta
2.13.0
2.13.1
2.14.0-beta
2.14.0
2.14.1-beta
2.14.1
2.14.2-beta
2.14.2
2.15.0-beta
2.15.0
2.15.1-beta
2.15.1
2.15.2-beta
2.15.2
2.15.3-beta
2.15.3
2.16.0-beta
2.16.0
2.16.1-beta
2.16.1
2.16.2-beta
2.16.2
2.16.3-beta
2.16.3
2.16.4
2.16.5

3.*

3.0.0-alpha
3.0.0-beta
3.0.0-beta2
3.0.0
3.0.1
3.0.2-rc
3.0.2
3.1.0-rc
3.1.0
3.1.1-rc
3.1.1
3.1.2-rc
3.1.2
3.2.0-rc
3.2.0
3.2.1
3.2.2-rc
3.2.2
3.2.3
3.2.4
3.2.5-rc
3.2.5
3.3.0-rc
3.3.0
3.3.1
3.3.2-rc
3.3.2
3.3.3-rc
3.3.3
3.3.4
3.3.5

4.*

4.0.0-alpha1
4.0.0-beta
4.0.0-rc
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.2.0-rc
4.2.0-rc1
4.2.0
4.2.1
4.2.2
4.3.0-beta
4.3.0-rc
4.3.0
4.3.1
4.4.0-beta
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0-alpha
Fixed
5.1.1

Affected versions

5.*

5.0.0-alpha
5.0.0-alpha1
5.0.0-beta1
5.0.0-beta2
5.0.0-rc1
5.0.0-rc2
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0