CVE-2022-25768

HIGH

Mautic 1.1.3-4.4.12 - Unauthenticated Update Process Access

Title source: llm

Description

The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc

Scores

CVSS v3 7.0

EPSS 0.0028

EPSS Percentile 19.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287 CWE-862

Status published

Products (3)

acquia/mautic 1.1.3 - 4.4.13

mautic/core 1.1.3 - 4.4.13Packagist

mautic/core-lib 1.1.3 - 4.4.13Packagist

Published Sep 18, 2024

Tracked Since Feb 18, 2026